This is the accessible text file for GAO report number GAO-06-674 entitled 'Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data' which was released on July 26, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Committee on Banking, Housing and Urban Affairs, U.S. Senate: United States Government Accountability Office: GAO: June 2006: Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard All Sensitive Data: Personal Information: GAO-06-674: GAO Highlights: Highlights of GAO-06-674, a report to the Committee on Banking, Housing and Urban Affairs, U.S. Senate Why GAO Did This Study: The growth of information resellers—companies that collect and resell publicly available and private information on individuals—has raised privacy and security concerns about this industry. These companies collectively maintain large amounts of detailed personal information on nearly all American consumers, and some have experienced security breaches in recent years. GAO was asked to examine (1) financial institutions’ use of resellers; (2) federal privacy and security laws applicable to resellers; (3) federal regulators’ oversight of resellers; and (4) regulators’ oversight of financial institution compliance with privacy and data security laws. To address these objectives, GAO analyzed documents and interviewed representatives from 10 information resellers, 14 financial institutions, 11 regulators, industry and consumer groups, and others. What GAO Found: Financial institutions such as banks, credit card companies, securities firms, and insurance companies use personal data obtained from information resellers to help make eligibility determinations, comply with legal requirements, prevent fraud, and market their products. For example, lenders rely on credit reports sold by the three nationwide credit bureaus to help decide whether to offer credit and on what terms. Some companies also use reseller products to comply with PATRIOT Act rules, to investigate fraud, and to identify customers with specific characteristics for marketing purposes. GAO found that the applicability of the primary federal privacy and data security laws—the Fair Credit Reporting Act (FCRA) and Gramm-Leach- Bliley Act (GLBA)—to information resellers is limited. FCRA applies to information collected or used to help determine eligibility for such things as credit or insurance, while GLBA only applies to information obtained by or from a GLBA-defined financial institution. Although these laws include data security provisions, consumers could benefit from the expansion of such requirements to all sensitive personal information held by resellers. The Federal Trade Commission (FTC) is the primary federal agency responsible for enforcing information resellers’ compliance with FCRA’s and GLBA’s privacy and security provisions. Since 1972, the agency has initiated formal enforcement actions against more than 20 resellers, including the three nationwide credit bureaus, for violating FCRA. However, FTC does not have civil penalty authority under the privacy and safeguarding provisions of GLBA, which may reduce its ability to enforce that law most effectively against certain violations, such as breaches of mass consumer data. In overseeing compliance with privacy and data security laws, federal banking and securities regulators have issued guidance, conducted examinations, and taken formal and informal enforcement actions. A recent national survey sponsored by the National Association of Insurance Commissioners (NAIC) identified some noncompliance with GLBA by insurance companies, but state regulators have not laid out clear plans with NAIC for following up to ensure these issues are adequately addressed. Figure: Typical Information Flow through Resellers to Financial Institutions: [See PDF for Image] Source: GAO(analysis); Art Explosion (image). [End of Figure] What GAO Recommends: Congress should consider (1) requiring information resellers to safeguard all sensitive personal information they hold, and (2) giving FTC civil penalty authority for enforcement of GLBA’s privacy and safeguarding provisions. GAO also recommends that state insurance regulators ensure compliance with GLBA. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-674]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Yvonne D. Jones at (202) 512-8678 or jonesy@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: Financial Institutions Use Information Resellers for Eligibility Determinations, Fraud Prevention, PATRIOT Act Compliance, and Marketing: Federal Privacy and Information Security Laws Apply to Many Information Reseller Products, Depending on Their Use and Source: FTC Has Primary Responsibility for Enforcing Information Resellers' Compliance with Privacy and Information Security Laws: Agencies Differ in Their Oversight of the Privacy and Security of Personal Information at Financial Institutions: Conclusions: Matters for Congressional Consideration: Recommendation for Executive Action: Agency Comments: Appendix I: Scope and Methodology: Appendix II: Sample Information Reseller Reports: Sample Insurance Claims History Report: Sample Deposit Account History Report: Sample Identity Verification and OFAC Screening Report: Sample Fraud Investigation Report: Appendix III: Comments from the Federal Trade Commission: Appendix IV: GAO Contact and Staff Acknowledgments: Figures: Figure 1: Typical Information Flow through Resellers to Financial Institutions: Figure 2: GLBA Privacy Provisions: Figure 3: Enforcement Responsibilities for Selected Financial Institutions under FCRA and GLBA: Figure 4: Sample Insurance Claims History Report: Figure 5: Sample Deposit Account History Report: Figure 6: Sample Identity Verification and OFAC Screening Report: Figure 7: Sample Fraud Investigation Report: Abbreviations: CRA: consumer reporting agency: DISB: District of Columbia's Department of Insurance, Securities and Banking: FACT Act: Fair and Accurate Credit Transactions Act: FCRA: Fair Credit Reporting Act: FDIC: Federal Deposit Insurance Corporation: FFIEC: Federal Financial Institutions Examination Council: FRB: Board of Governors of the Federal Reserve System: FTC: Federal Trade Commission: FTC Act: Federal Trade Commission Act: GLBA: Gramm-Leach-Bliley Act: NAIC: National Association of Insurance Commissioners: NCUA: National Credit Union Administration: NYSE Regulation: New York Stock Exchange Regulation: OCC: Office of the Comptroller of the Currency: OFAC: Office of Foreign Assets Control: OTS: Office of Thrift Supervision: SEC: Securities and Exchange Commission: USA PATRIOT ACT: Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act: United States Government Accountability Office: Washington, DC 20548: June 26, 2006: The Honorable Richard C. Shelby: Chairman: The Honorable Paul S. Sarbanes: Ranking Minority Member: Committee on Banking, Housing and Urban Affairs: United States Senate: The growth in recent years of information resellers--companies that collect, aggregate, and resell publicly available and private information on individuals--has raised privacy and security concerns related to this industry.[Footnote 1] Information resellers maintain and sell vast amounts of detailed personal information on nearly all American consumers--including such things as Social Security numbers, home and automobile values, occupations and hobbies. In addition, security breaches at some of these companies have raised concerns in light of the increasing problem of identity theft. Some policymakers and consumer advocates believe that not enough is known about these resellers and the information about consumers that they maintain and share. Information resellers include consumer reporting agencies (CRA), which assemble and share credit histories and other personal information used to help make important decisions about individuals, such as their eligibility for financial services. Other companies, sometimes called "data brokers," collect personal information from a variety of sources for such things as marketing and fraud prevention. Advances in technology and the computerization of public records in recent years have fostered significant growth in the size of the reseller industry and the amount of personal consumer data that these companies assemble and distribute. The primary federal laws governing the sharing and use of personal information by private sector companies are the Fair Credit Reporting Act (FCRA) and subtitle A of title V of the Gramm-Leach-Bliley Act (GLBA).[Footnote 2] Several federal and state agencies and self- regulatory organizations enforce these laws, including the Federal Trade Commission (FTC); the banking regulators--Board of Governors of the Federal Reserve System (FRB), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA); the securities regulators--Securities and Exchange Commission (SEC), NASD (formerly known as the National Association of Securities Dealers), and New York Stock Exchange Regulation (NYSE Regulation); and state insurance regulators. Concerned about financial institutions' use of information resellers, you asked us to examine (1) how financial institutions use data products supplied by information resellers, the types of information contained in these products, and the sources of the information; (2) how federal laws governing the privacy and security of personal data apply to information resellers, and what rights and opportunities exist for individuals to view and correct data held by resellers; (3) how federal financial institution regulators and the FTC oversee information resellers' compliance with federal privacy and information security laws; and (4) how federal financial institution regulators, state insurance regulators, and the FTC oversee financial institutions' compliance with federal privacy and information security laws governing consumer information, including information supplied by information resellers. To address these objectives, we gathered and analyzed documents, and interviewed representatives from, 10 major information resellers; 14 financial institutions in the banking, securities, credit card, property/casualty insurance, and consumer lending industry sectors; and trade associations representing these firms. We also met with experts in the area of privacy law and with consumer advocacy organizations active in the field. Our audit work allows us to represent how financial institutions that offer a sizable and diverse portion of financial services in the United States use information resellers, and to describe the types of information products offered by the information resellers most commonly identified by these financial institutions. Our findings, however, are not representative of all financial institutions and information resellers. We also analyzed relevant laws, guidance, and regulations. Finally, to describe federal and state enforcement and supervisory activities, we interviewed and analyzed documents from FTC; the five federal banking and three securities regulators; the National Association of Insurance Commissioners (NAIC), which represents state insurance regulators; and the District of Columbia's Department of Insurance, Securities and Banking (DISB). We conducted our review from June 2005 through May 2006 in accordance with generally accepted government auditing standards. A more extensive discussion of our scope and methodology appears in appendix I. Results in Brief: Financial institutions use data from information resellers to help determine individuals' eligibility for credit and insurance, comply with legal requirements, prevent fraud, and market products. Banks and other lenders use reseller data to help make eligibility and interest rate decisions for new applicants and existing customers, while insurance companies use these data to help make underwriting decisions regarding individual insurance applications. To meet PATRIOT Act requirements designed to prevent money laundering and transactions with known criminals, some financial institutions we spoke with use resellers to confirm the identity of applicants. In addition, reseller data are used to identify and investigate fraud, locate holders of delinquent accounts, and conduct due diligence on individuals associated with new business ventures. Many companies also use certain information reseller products for marketing purposes--such as to target potential customers who have certain characteristics or to gather additional information about existing customers to offer additional products. The specific information maintained by resellers varies depending on the nature of the reseller and the types and purposes of its products. Their products often include credit header data-- identifying information at the top of a credit report that includes such things as name, current and prior addresses, telephone number, and Social Security number. Products used by lenders for eligibility determinations typically also contain detailed credit histories and scores, while products used by insurers may also contain past insurance claims filed by applicants. Many reseller products, particularly those used for fraud detection, include court and property records and bankruptcy filings, motor vehicle records, names of family members and associates, and professional licenses. Products used for marketing often include demographic information as well as information on individual consumers' interests and hobbies. Resellers' sources vary depending on the product, but may include public records from government agencies, publicly available information, such as telephone or business directories, and nonpublic or proprietary information from credit bureaus or provided to businesses directly by consumers. The primary federal privacy and data security laws that apply to information resellers are the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA), but the applicability of these laws with regard to information resellers is limited. FCRA requires companies to safeguard and restrict their use and distribution of consumer information collected or used to determine eligibility for such things as credit, insurance, or employment, and provides rights to consumers to view and rectify errors in databases containing such information. The applicability of FCRA depends largely on the purpose for which the information is collected, and its intended and actual use, rather than the origins or nature of the information itself. Resellers offer many products from databases they consider not subject to FCRA, such as those used for many marketing and anti-fraud products. Information resellers vary in the extent to which they voluntarily provide consumers additional opportunities to view, correct, and opt out of the sharing of information that is not subject to FCRA. GLBA's privacy provisions restrict the sharing of nonpublic personal information collected by or acquired from financial institutions, except in certain circumstances. However, these provisions only apply to information resellers covered by GLBA's definition of a "financial institution" or that maintain nonpublic personal information originating from such a financial institution. GLBA's safeguarding provisions require that steps be taken to ensure the security and confidentiality of customers' nonpublic personal information, but similarly this applies only to resellers that are GLBA financial institutions. Because of the limited applicability of FCRA and GLBA to information resellers, sensitive personal information these companies maintain is often not covered by explicit statutory safeguarding requirements. For example, some information resellers maintain data such as Social Security numbers in anti-fraud databases or household incomes in marketing databases that they do not consider subject to FCRA's or GLBA's safeguarding provisions. Requiring information resellers to take steps to prevent unauthorized access to all of the sensitive personal information they hold would help ensure that explicit data security requirements apply more comprehensively to a class of companies that maintains large amounts of such data. In addition, no federal statute requires companies to disclose breaches of sensitive personal information, although such a requirement could provide incentives to companies to improve data safeguarding and provide consumers at risk of identity theft or other related harm with useful information. FTC is the primary federal agency responsible for enforcing information resellers' compliance with the privacy and information security requirements of FCRA and GLBA. Because it is a law enforcement agency, as opposed to a regulatory or supervisory agency, FTC does not routinely monitor or examine resellers, but can initiate investigations based on complaints and other sources. Since 1972, the agency has initiated formal enforcement actions against more than 20 consumer reporting agencies, including the three nationwide credit bureaus, for violating FCRA and the Federal Trade Commission Act (FTC Act). For example, in January 2006, ChoicePoint agreed to pay $10 million in civil penalties and $5 million for consumer redress (damages to compensate consumers for losses) to settle FTC charges that the company's security and record-handling procedures allegedly violated FCRA and the FTC Act. Many of FTC's cases involved companies alleged to have provided consumer report information without adequately ensuring that their customers had a permissible purpose for obtaining it. FTC cannot impose civil penalties for violations of GLBA's privacy and safeguarding provisions, as it can under FCRA. FTC has used its existing enforcement authority under GLBA to seek injunctions against financial institutions that have violated that law, and it can also seek redress for consumers. However, FTC staff have said that civil penalties would be a more effective tool for violations involving breaches of mass consumer data. Federal and state regulators vary in the actions they take to oversee financial institutions' compliance with federal privacy and information security laws. In general, regulators told us that their oversight activities focus on the protection of all sensitive data; they do not typically distinguish whether the data were obtained from an information reseller or some other source. The five federal banking regulators have implemented and enforced GLBA and FCRA by issuing regulations and guidance, by using their examination procedures to check compliance with these laws, and by taking enforcement actions to address violations. SEC has issued regulations to implement GLBA for broker-dealers, investment companies, and SEC-registered investment advisers. SEC, NASD, and NYSE Regulation have also issued guidance and examined securities firms for compliance with GLBA's privacy and safeguarding provisions, and as necessary have taken enforcement actions. State insurance regulators are responsible for enforcing GLBA for their states' property-casualty insurers. NAIC told us that state insurance regulators do not typically focus in their examinations on privacy requirements, but that they did recently participate in a multistate survey of insurance company compliance with GLBA. The survey identified a number of areas of noncompliance with GLBA, but the extent to which state regulators will be addressing these problems is unclear. FTC enforces securities firms' and insurance companies' compliance with FCRA and enforces both FCRA and GLBA for all financial institutions not otherwise supervised by another regulator. FTC has issued regulations to implement GLBA and initiated enforcement actions against consumer finance companies for not ensuring the security and confidentiality of sensitive customer information. Some federal banking regulators have authority to examine third-party service providers with which the banks may do business, and regulators have examined a limited number of information resellers under this authority. This report suggests that Congress consider requiring information resellers, and potentially a broader class of entities, to safeguard all sensitive personal information they hold. We also suggest that Congress consider providing FTC with civil penalty authority for its enforcement of GLBA's privacy and safeguarding provisions. In addition, we recommend that state insurance regulators, individually and in concert with NAIC, take additional measures to ensure appropriate enforcement of insurance companies' compliance with GLBA's privacy and safeguarding requirements. We provided a draft of this report to FDIC, FRB, FTC, NAIC, NASD, NCUA, NYSE Regulation, OCC, OTS, and SEC, which provided technical comments that were incorporated as appropriate. In addition, FTC provided written comments, in which the agency noted that it agreed with our suggestions to Congress. Background: "Information reseller" is an umbrella term used to describe a wide variety of businesses that collect and aggregate personal information from multiple sources and make it available to their customers. The industry has grown considerably over the past two decades, in large part due to advances in computer technology and electronic storage. Courthouses and other government offices previously stored personal information in paper-based public records that were relatively difficult to obtain, usually requiring a personal visit to inspect the records. Nonpublic information, such as personal information contained in product registrations or insurance applications was also generally inaccessible. In recent years, however, the electronic storage of public and private records along with increased computer processing speeds and decreased data storage costs have fostered information reseller businesses that collect, organize, and sell vast amounts of personal information on virtually all American consumers. The information reseller industry is large and complex, and these businesses vary in many ways. What constitutes an information reseller is not always clearly defined and little data exist on the total number of firms that offer information products. FTC and other federal agencies do not keep comprehensive lists of companies that resell personal information, and experts say that characterizing the precise size and nature of the information reseller industry can be difficult because it is evolving and lacks a clear definition. Although no comprehensive data exist, industry representatives say there are at least hundreds of information resellers in total, including some companies that provide services over the Internet.[Footnote 3] We include in our definition of information resellers the three nationwide credit bureaus--Equifax, Experian, and TransUnion, which primarily collect and sell information about the creditworthiness of individuals--as well as other resellers such as ChoicePoint, Acxiom, and LexisNexis, which sell information for a variety of purposes, including marketing.[Footnote 4] Other companies that sell information products include eFunds, which provides depository institutions with information on deposit account histories; Thompson West and Regulatory DataCorp, which help companies mitigate fraud and other risks; and ISO, which provides insurers with insurance claims histories and fraud prevention products. Information resellers sell their products to a broad spectrum of customers, including private companies, individuals, law enforcement bureaus and other government agencies.[Footnote 5] Although major information resellers generally offer their products only to customers who have successfully completed a credentialing process, some resellers offer certain products, such as compilations of telephone directory information, to the public at large. All of these businesses differ in nature, and they do not all focus exclusively on aggregating and reselling personal information. For example, Acxiom primarily provides customized computer services, and its information products represent a relatively small portion of the overall activities of the company. Information resellers obtain their information from many different sources (see fig. 1). Generally, three types of information are collected: public records, publicly available information, and nonpublic information. * Public records are a primary source of information about consumers, available to anyone, and can be obtained from governmental entities. What constitutes public records is dependent upon state and federal laws, but generally these include birth and death records, property records, tax lien records, voter registrations, licensing records, and court records (including criminal records, bankruptcy filings, civil case files, and legal judgments). * Publicly available information is information not found in public records but nevertheless publicly available through other sources. These sources include telephone directories, business directories, print publications such as classified ads or magazines, Internet sites, and other sources accessible by the general public. * Nonpublic information is derived from proprietary or nonpublic sources, such as credit header data, product warranty registrations, lists of magazine or catalog subscribers, and other application information provided to private businesses directly by consumers.[Footnote 6] Information resellers hold or have access to databases containing a large variety of information about individuals. Although each reseller varies in the specific personal information it maintains, it can include names, aliases, Social Security numbers, addresses, telephone numbers, motor vehicle records, family members, neighbors, insurance claims, deposit account histories, criminal records, employment histories, credit histories, bankruptcy records, professional licenses, household incomes, home values, automobile values, occupations, ethnicities, and hobbies. Figure 1: Typical Information Flow through Resellers to Financial Institutions: [See PDF for image] Source: GAO(analysis), Art Explosion(image). [End of figure] The various products offered by different types of information resellers are used for a wide range of purposes, including credit and background checks, fraud prevention, and marketing. Resellers often sell their data to each other--for example, the credit bureaus sell credit header data to other resellers for use in identity verification and fraud prevention products. Resellers might also purchase publicly available information from one another, rather than gathering the information themselves. The nature of the databases maintained and products offered by information resellers vary. Credit bureaus maintain an individual file on most Americans containing financial information related to that person's creditworthiness. Most other resellers do not typically maintain complete files on individuals, but rather collect and maintain information in a variety of databases, and then provide their customers with a single consolidated source for a broad array of personal information. Financial Institutions Use Information Resellers for Eligibility Determinations, Fraud Prevention, PATRIOT Act Compliance, and Marketing: Financial institutions in the banking, credit card, securities, and insurance industries use personal data purchased from information resellers primarily to help make eligibility determinations, comply with legal requirements, prevent fraud, and market their products.[Footnote 7] Credit reports from the three nationwide credit bureaus help lenders determine eligibility for and the cost of credit, and reports on insurance claims histories from specialty CRAs help insurance companies make premium decisions for new applicants and existing customers. To meet certain legal requirements and detect and prevent fraud, financial institutions we studied also use reseller products to locate individuals or confirm their identity. In addition, certain reseller products containing demographic data and information on individuals' lifestyle interests and hobbies are used to help market financial products to existing or potential customers with certain characteristics. Consumer Reports Sold by Credit Bureaus and Other CRAs Are Used to Make Credit and Insurance Eligibility Decisions: Banks, credit card companies, and other lenders rely on credit reports sold by the three nationwide credit bureaus--Equifax, Experian, and TransUnion--when deciding whether to offer credit to an individual, at what rate, and on what terms. Banks use credit reports to help assess the credit risk of new customers before opening a new deposit account or providing a mortgage or other loan. Credit card companies use credit reports to determine whether to grant a credit card to an applicant, determine the terms of that card, and to adjust the account terms of current cardholders whose creditworthiness may have changed. In addition to lenders, insurance companies often use scores generated from credit report information to help determine premiums for the policies they underwrite. Credit bureaus receive the information in credit reports from the financial institutions themselves, among other sources. Credit reports consist of a "credit header"--identifying information such as name, current and previous addresses, Social Security number, and telephone number--and a credit history, or other payment history, designed to provide information on the individual's creditworthiness. The credit history might contain information on an individual's current and past credit accounts, including amounts borrowed and owed, credit limits, relevant dates, and payment histories, including any record of late payments. Credit reports also may include public record information on tax liens, bankruptcies, and other court judgments related to the payment of debts. Credit bureaus also sell credit scores, which are numerical representations of predicted creditworthiness based on information in credit reports, and are often used instead of full credit reports. For example, all three credit bureaus sell FICO® credit scores, which use factors such as payment history, amount owed, and length of credit history to help financial institutions predict the likelihood that a person will repay a loan.[Footnote 8] Some financial institutions also use specialty CRAs, which maintain specific types of files on consumers, to help make eligibility decisions. Insurance companies commonly use products from ChoicePoint and ISO, which compile data from insurance companies on the claims that individuals have made against their homeowner's or automobile insurance policies.[Footnote 9] Most insurance companies provide these CRAs with claim and loss information about their customers, including names, driver's license information, type of loss, date of loss, and amount the insurance company paid to settle the claim. The CRAs aggregate this information from multiple insurance companies to create either full reports or risk scores designed to help assess the likelihood that an individual will file a claim. Insurance companies purchase reports, or in some cases scores, associated with individuals applying for insurance and the property being insured to help decide whether to provide coverage and at what rate. Insurance companies also use this information to help determine whether to extend coverage and set premiums for existing policy holders. (See app. II for a sample insurance claims history report.) Insurance industry representatives told us aggregated claims data provided by specialty CRAs are extremely useful in making coverage and rate determinations. They noted, for example, that past losses are the best indicator of future driving risk and thus are useful to firms that underwrite auto insurance. Banks and credit unions frequently assess applicants of new checking and other deposit accounts using products offered by resellers such as ChexSystems, a specialty CRA that is a subsidiary of eFunds. ChexSystems compiles information from banks and credit unions on accounts that have been closed due to account misconduct such as overdrafts, insufficient funds activity, returned checks, bank fraud, and check forgery. The company also aggregates available driver's license information from state departments of motor vehicles, and receives information from check-printing companies on check order histories, which can help identify fraud. Banks we spoke with said that the name and identifying information of a customer seeking to open a new deposit account is typically run through the ChexSystems database. The reports provided back to the financial institution by ChexSystems typically include identifying information, as well as information useful in assessing an applicant's risk, such as the applicant's history of check orders and the source and details of any account misconduct. (See app. II for a sample deposit account history report.) Financial Institutions Use Information Resellers to Comply with the PATRIOT Act, Prevent Fraud, Mitigate Risk, and Locate Individuals: Financial institutions use data purchased from information resellers to comply with legal requirements; detect, prevent, and investigate fraud; identify risks associated with prospective clients; and locate debtors or shareholders. Complying with PATRIOT Act Requirements: Financial institutions we spoke with frequently use products provided by information resellers to comply with PATRIOT Act requirements.[Footnote 10] Congress intended these provisions to help prevent terrorists and other criminals from using the U.S. financial system to fund terrorism and launder money. The act requires financial institutions to develop procedures to assure the identity of new customers.[Footnote 11] Many resellers offer products that verify and validate a new customer's identity by comparing information the customer provided to the financial institution with information aggregated from public and private sources. Some financial institutions, particularly those that offer services by telephone, mail, or the Internet, often confirm customers' identities using these reseller products. Other companies may verify their customers' identity from a driver's license, passport, or other paper document, but use information resellers for additional verification. Financial institutions must also screen their customers to ensure they are not on the Department of the Treasury's Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons List. The list includes individuals and entities that financial institutions are generally prohibited from conducting transactions with because they have been identified as potential terrorists, money launderers, international narcotics traffickers, or other criminals. Many information resellers offer products to financial institutions that screen new customers against the OFAC list; often this screening is packaged with identity verification in a single product. (See app. II for a sample identity verification and OFAC screening report.) The OFAC list is a publicly available government document, but financial institutions told us they use resellers for their screening because it allows them to do so more quickly and helps distinguish between common names on the list that might result in false matches. Some financial institutions use resellers to screen new customers against the OFAC list, while others periodically screen all of their existing customers. Some companies told us they do most of their OFAC screening internally, but sometimes use a reseller to gather additional information confirming whether a potential match is indeed an individual that is on the OFAC list. To verify a customer's identity or conduct an OFAC screening, a financial institution typically uses a Web-based portal to provide an information reseller with basic information about the individual being screened--such as the person's name, Social Security number, address, driver's license number, phone number, and date of birth. The reseller then checks the information against its own records, and typically provides a "pass" response if the information matches, or a "fail" response if, for example, the date of birth does not match the name. Resellers' screening products generally draw on credit header data purchased from the credit bureaus, along with publicly available data such as address and telephone records and drivers' license records from state agencies. Customer verification databases also include information that may indicate suspicious activity, such as prison or campground addresses, disconnected telephone numbers, and Social Security numbers of deceased individuals. Preventing and Detecting Fraud: The financial institutions we reviewed use information reseller tools to assist their fraud prevention and detection efforts. For example, banks and credit card companies sometimes use information reseller products to authenticate the identity of existing customers who call to update or receive account information or to order a replacement credit card. Authentication products usually draw on information similar to that used for verification products, most commonly credit header data and public records. Some resellers offer products that also allow the financial institution to access the customers' credit history with their permission, which provides additional personal information that can be used to verify identity. For example, a customer might be asked the year an automobile loan was originated or the credit limit on a credit card. Fraud departments of financial institutions in our review also use more detailed products from information resellers to investigate suspected identity theft or account fraud, such as the use of a stolen credit card number. (See app. II for a sample fraud investigation report.) In these cases, a company's fraud department often purchases from information resellers detailed background information on a suspect's current and prior residences, vehicles, relatives, aliases, criminal records (in certain states), and other information that can be useful in directing an investigation. Examples of the uses of fraud products offered by resellers include: * obtaining detailed personal information about people associated with potential fraud, or their relatives and associates; * detecting links between individuals who may be co-conspirators in fraud or misconduct; * identifying multiple insurance claims made by the same person; * identifying individuals who are associated with multiple addresses, telephone numbers, or vehicles in ways that indicate potential fraud; * obtaining contact information for key individuals, such as witnesses to car accidents identified in police reports; or: * identifying instances where insurance policy applicants have failed to disclose certain required information. Reducing Risk and Locating Individuals: Financial institutions also sometimes use reseller products to help identify potential reputational risk or other risks associated with new customers or business partners. For example, securities firms told us they screen individuals like prospective wealth management clients or merger partners to check for a criminal record, disciplinary action by securities regulators, negative news media coverage, and known affiliation with terrorism, drug trafficking, or organized crime. Financial institutions we spoke with also often use information resellers to locate individuals. For example, lenders use reseller products to find customers who have defaulted on debts, and some mutual fund companies use these products to locate lost shareholders. The information provided by products used for this purpose is derived largely from credit header data, telephone records, and public records data, and may include an individual's aliases, addresses, telephone numbers, Social Security number, motor vehicle records, as well as the names of neighbors and associates. For example, one financial institution told us its debt collectors use a ChoicePoint product called DEBTOR Discovery to get such information to help locate delinquent debtors. Some Financial Institutions Use Information Resellers for Marketing: Some information resellers offer certain products that help financial institutions market their financial products and services to new or existing customers with specific characteristics. Databases held by resellers offering marketing products include a variety of information on individuals and households, such as household size, number and ages of children, estimated household income, homeownership status, demographic data, and lifestyle interests and activities. These databases derive their information from public records as well as nonpublic sources such as self-reported marketing surveys, product warranty cards, and lists of magazine subscribers, which may be used to provide financial institutions and other companies with lists of consumers meeting certain criteria.[Footnote 12] For example, a bank marketing a college savings account might request the names and addresses of all households in certain ZIP codes that have children under the age of 18 and household incomes of $100,000 or more. Financial institutions we studied also use certain reseller products to gather additional information on their existing customers to market additional products and services. For example, we spoke with an insurance company that used an information reseller to learn which of its existing customers owned boats, so those customers could be targeted for boat insurance. Similarly, one bank we spoke with used an information reseller to help market a sailing credit card to current customers who lived near bodies of water. Many companies that solicit new credit card accounts and insurance policies use nationwide credit bureaus for "prescreening" to identify potential customers for the products they offer.[Footnote 13] A lender or insurance company establishes criteria, such as a minimum credit score, and then purchases from a credit bureau a list of people in the bureau's database who meet those criteria. In some cases, the financial institution already has a list of potential customers that it provides to the credit bureau to identify individuals on the list who meet the criteria. Financial institutions sometimes also use a second information reseller to help them obtain from a credit bureau a list that includes only consumers meeting specific demographic or lifestyle criteria. For example, in marketing a home equity line of credit, a lender may use a second information reseller to work with a credit bureau to identify creditworthy individuals that are also homeowners and live in certain geographic areas, to which the lender will then make a firm offer of credit. Financial institutions sometimes use data from information resellers for models--developed by either the institution or the reseller--that seek to predict consumers likely to be interested in a new product and unlikely to present a credit risk. For example, a firm we spoke with that was marketing credit cards to college students used reseller data to determine the characteristics of college students that indicate they will be successful credit card borrowers. Federal Privacy and Information Security Laws Apply to Many Information Reseller Products, Depending on Their Use and Source: The Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA) are the primary federal laws governing the privacy and security of personal data collected and shared by information resellers. FCRA limits resellers' use and distribution of personal data, and allows consumers to access the data held on them, but it only applies to information collected or used primarily to make eligibility determinations. Unless FCRA applies to a product and its database, resellers typically provide only limited opportunities for the consumer to access, correct, or restrict sharing of the personal data held on them. GLBA's privacy provisions restrict the sharing of nonpublic personal information collected by or acquired from financial institutions, including resellers covered by GLBA's definition of financial institution (GLBA financial institutions). Further, GLBA's safeguarding provision requires resellers that are GLBA financial institutions to safeguard this information. Several Federal Privacy and Security Laws Apply to Personal Data Held by Information Resellers: No single federal law governs the use or disclosure of all personal information by private sector companies. Similarly, there are no federal laws designed specifically to address all of the products sold and data maintained by information resellers.[Footnote 14] Instead, a variety of different laws govern the use, sharing, and protection of personal information that is maintained for specific purposes or by specific types of entities. The two primary federal laws that protect personal information maintained by private sector companies are FCRA and GLBA. FCRA protects the security and confidentiality of personal information that is collected or used to help make decisions about individuals' eligibility for, among other things, credit, insurance, or employment, while GLBA is designed to protect personal financial information that individuals provide to or that is maintained by financial institutions. In addition to FCRA and GLBA, other federal laws that directly or indirectly address privacy and data security may also cover some information reseller products.[Footnote 15] The Driver's Privacy Protection Act of 1994 regulates the use and disclosure by state motor vehicle departments of personal information from motor vehicle records.[Footnote 16] Personal motor vehicle records may be purchased and sold only for certain purposes--such as insurance claims investigations and other anti-fraud activities--unless a state motor vehicle agency has received express consent from the individual indicating otherwise.[Footnote 17] In addition, the Federal Trade Commission Act (FTC Act), enacted in 1914 and amended on numerous occasions, gives FTC the authority to prohibit and act against unfair or deceptive acts or practices.[Footnote 18] The failure by a commercial entity, such as an information reseller, to reasonably protect personal information could be a violation of the FTC Act if the company's actions constitute an unfair or deceptive act or practice. Finally, some federal banking regulators have authority to oversee their institutions' third-party service providers to ensure the safety and soundness of financial institutions.[Footnote 19] For example, if a vendor such as an information reseller did not employ reasonable safeguards to maintain a bank's records, federal banking regulators could examine the vendor to identify and remedy the risks.[Footnote 20] FCRA Applies Only to Consumer Information Used to Determine Eligibility: The Fair Credit Reporting Act (FCRA), enacted in 1970, protects the confidentiality and accuracy of personal information used to make certain types of decisions about consumers. Specifically, FCRA applies to companies that furnish, contribute to, or use "consumer reports"-- reports containing information about an individual's personal and credit characteristics used to help determine eligibility for such things as credit, insurance, employment, licenses, and certain other benefits.[Footnote 21] Businesses that evaluate consumer information or assemble such reports for third parties are known as consumer reporting agencies, or CRAs. Consumer reports covered by FCRA comprise a significant portion of consumer data transactions in the United States. For example, according to an industry association that represents CRAs, the three nationwide credit bureaus sell over 2.5 billion credit reports each year on average. FCRA places certain restrictions and obligations on CRAs that issue these reports. For example, the law restricts the use of consumer reports to certain permissible purposes, such as approving credit, imposes certain disclosure requirements, and requires that CRAs take steps to ensure that information in these reports is not misused. It also provides consumers with certain rights in relation to their credit reports, such as the right to dispute the accuracy or completeness of items in the reports. Congress has amended FCRA a number of times, most recently with the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), which sought to promote more- accurate credit reports and expand consumers' access to their credit information.[Footnote 22] Information resellers are subject to FCRA's requirements only with regard to information used to compile consumer reports--that is, reports used to help determine eligibility for certain purposes, including credit, insurance, or employment. Thus, FCRA applies to databases used to compile credit reports sold by the three nationwide credit bureaus, and its provisions apply both to the credit bureaus themselves as well as to other information resellers that purchase and resell credit reports for use by others. FCRA also applies to databases used to generate specialty consumer reports--which consist of such things as tenant history, check writing history, employment history, medical information, or insurance claims--that are used to help make eligibility determinations. For example, according to ChoicePoint, FCRA applies to the data used in most of its WorkPlace Solutions products, which employers use to make hiring decisions. Similarly, according to LexisNexis, FCRA applies to its Electronic Bankruptcy Notifier product data, which financial institutions use to determine whether to offer customers credit or other financial services. Overall, 8 of the 10 information resellers we spoke with said that at least some of their products are consumer reports as defined by FCRA. They said their contracts prohibit their customers from using their non-FCRA products for purposes related to making eligibility determinations. According to the information resellers included in our review, FCRA does not cover many databases used to create other products they offer because, as defined by the law, the information was not collected for making eligibility determinations and the products are not intended to be used for making eligibility determinations.[Footnote 23] For example, some of the information resellers we spoke with did not treat data in some products used to identify and prevent fraud as subject to FCRA. Similarly, resellers do not typically consider databases used solely for marketing purposes to be covered by FCRA. Because the definition of a consumer report under FCRA depends on the purpose for which the information is collected and on the reports' intended and actual use, an information reseller apparently may have two essentially identical databases with only one of them subject to FCRA. FCRA also restricts financial institutions and other companies that use consumer reports from using them for purposes other than those permitted in the law. Financial institutions must also notify consumers if they take an adverse action--such as denying an applicant a credit card--based on information in a consumer report. Under FCRA, companies that furnish information to CRAs also must take steps to ensure the accuracy of information they report. Further, users of consumer reports must properly dispose of consumer reports they maintain. The law also limits financial institutions and other entities from sharing certain credit information with their affiliates for marketing purposes. Final regulations to implement this statutory limitation have not yet been promulgated. FCRA Provides Access, Correction, and Opt-Out Rights for Consumer Reports: FCRA is the primary federal law that provides rights to consumers to view, correct, or opt out of the sharing of their personal information, including data held by information resellers. Under FCRA, as recently amended by the FACT Act, consumers have the right to: * obtain all of the information about themselves contained in the files of a CRA upon request, including their credit history; * receive one free copy of their credit file from nationwide CRAs and nationwide specialty CRAs once a year or under certain other circumstances;[Footnote 24] * dispute information that is incomplete or inaccurate, and have their claims investigated and any errors deleted or corrected, as provided by the law; and: * opt out of allowing CRAs to provide their personal information to third parties for prescreened marketing offers.[Footnote 25] Most of FCRA's access, correction, and opt-out rights apply not just to the three nationwide credit bureaus--Experian, TransUnion, and Equifax- -but also to other CRAs, including nationwide specialty CRAs that provide reports on such things as insurance claims and tenant histories. The law imposes slightly different requirements on these entities with respect to free annual reports. For example, FCRA's implementing regulation requires Experian, TransUnion, and Equifax to create a centralized source for accepting consumer requests for free credit reports, which must include a single dedicated Web site, a toll- free telephone number, and mail directed to a single postal address where consumers can order credit reports from all three nationwide CRAs.[Footnote 26] Nationwide specialty CRAs are individually required to maintain a toll-free number and a streamlined process for accepting and processing consumer requests for file disclosures.[Footnote 27] Other CRAs must provide consumers with a copy of their report upon request (although in most cases they may charge a reasonable fee for it), and they must allow consumers to dispute information they believe to be inaccurate. In practice, consumers may find it difficult in some cases to effectively access and correct information held by nationwide specialty CRAs because there may be hundreds of such CRAs and no master list exists. For example, job seekers who want to confirm the accuracy of information about themselves in background-screening products would need to request their consumer reports from the dozens of such companies that offer such products. Consumers generally do not have the legal right to access or correct information about them contained in non-FCRA databases, such as those used for marketing purposes or, in some cases, fraud detection. The information resellers we studied varied in the extent to which they voluntarily provide consumers with additional opportunities to view, correct, and opt out of the sharing of information beyond what the law requires. The three nationwide credit bureaus allowed consumers to view only information that is subject to FCRA. However, three other information resellers we spoke with allowed consumers to order summary reports of some data maintained about them that was not subject to FCRA. These reports varied in length and detail but typically contained consumer data obtained from public records, publicly available information, and credit header information. Consumers did not typically have the right to see data maintained about them related to marketing, such as information on their household income, interests, or hobbies, which was often obtained from warranty cards or self-reported survey questionnaires. Information resellers told us that consumers who request correction of inaccurate data not covered by FCRA are typically referred to the government or private entity that was the source of the data. Many resellers told us that because their databases are so frequently updated, simply correcting their own databases would not be effective because it would soon be refreshed by new erroneous data from the original source. However, one reseller told us it has procedures that prevent such corrections from being overwritten. Some resellers offered limited opportunities for consumers to opt out of their databases even for data not covered by FCRA, but they typically allow this only for data used for marketing purposes. The five resellers we spoke with that maintain personal data used for marketing allowed consumers to request that their information not be shared with third parties. None of the resellers we spoke with offered all consumers the ability to opt out of identity verification or fraud products. They noted that it would undermine the effectiveness of the databases if, for example, criminals could remove themselves from lists of fraudsters. Some resellers do allow opt-out opportunities to certain individuals, such as judges or identity-theft victims, who may face potential harm from having their information included in reseller databases. Industry representatives, consumer advocates, and others offer differing views on whether the access, correction, and opt-out rights provided under FCRA should be expanded. Many consumer advocates and others have argued that these rights should not be limited to consumer information used for eligibility purposes, but should explicitly extend as well to databases not currently considered by resellers to be subject to FCRA, such as those used for some anti-fraud products. Proponents of this view argue that basic privacy principles dictate that consumers should have the right to know what information is being collected and maintained about them. In addition, they argue that errors in these databases have the potential to harm consumers. For example, an individual could be denied a volunteer opportunity or falsely pursued as a crime suspect due to erroneous information in a reseller database not covered under FCRA. In contrast, some information resellers, financial services firms, and law enforcement representatives have argued that providing individuals expanded access, correction, and opt-out rights is unnecessary and could harm fraud prevention and criminal investigations by providing individuals with the opportunity to see and manipulate the information that exists about them. They also note that expanding these rights could create new regulatory burdens. For example, firms maintaining databases for marketing purposes could face substantial costs and complications developing and implementing processes for consumers to see, challenge, and correct the data held on them. Information resellers noted that providing access and correction rights for personal information in marketing databases makes little sense because the accuracy of this information is much less important than for information used to make crucial eligibility decisions. GLBA Applies to Information Resellers That Are Financial Institutions or Receive Information from Financial Institutions: The Gramm-Leach-Bliley Act (GLBA), enacted in 1999, limits with certain exceptions the sharing of consumer information by financial institutions and requires them to protect the security and confidentiality of customer information. Further, GLBA limits the reuse and redisclosure of the information for those receiving it. GLBA's key provisions with regard to information resellers, therefore, cover the privacy, reuse, redisclosure, and safeguarding of information. GLBA Privacy Provisions: GLBA's privacy provisions generally limit financial institutions from sharing nonpublic personal information with nonaffiliated companies without first providing certain notice and, where appropriate, opt-out rights to their own customers and other consumers with whom they interact.[Footnote 28] GLBA distinguishes between a financial institution's "customers" and other individuals the financial institution may interact less with, which the law refers to as "consumers." Specifically, a consumer is an individual who obtains a financial product or service from a financial institution.[Footnote 29] On the other hand, a customer is a consumer who has an ongoing relationship with a financial institution. For example, someone who engages in an isolated transaction with a financial institution, such as obtaining an ATM withdrawal, is a consumer, whereas someone who has a deposit account with a bank would be a customer. While some GLBA requirements, such as the privacy requirements, apply broadly to cover consumer information in many cases, other provisions of GLBA apply only to customer information. For example, GLBA's safeguarding requirements oblige financial institutions to protect only customer information. GLBA requires financial institutions to provide their customers with a notice at the start of the customer relationship and annually thereafter for the duration of that relationship. The notice must describe the company's sharing practices and give customers, and in some cases consumers, the right to opt out of some sharing. GLBA exempts companies from notice and opt-out requirements under certain circumstances. For example, financial institutions and CRAs may share personal information for credit-reporting purposes without providing opt-out opportunities, and financial institutions and others may also share this information to protect against or prevent actual or potential fraud and unauthorized transactions.[Footnote 30] Thus, financial institutions are not required to provide their customers with opt-out rights before reporting their information to credit bureaus or sharing their information with information resellers for identity verification and fraud purposes. Under another GLBA exception, financial institutions are also not required to provide consumers with an opportunity to opt out of the sharing of information with companies that perform services for the financial institution.[Footnote 31] GLBA's privacy provisions apply to information resellers only if (1) the reseller is a GLBA "financial institution" or (2) the reseller receives nonpublic personal information from such a financial institution (see fig. 2). The determination of whether a company is a financial institution under GLBA is complex and, for an information reseller, depends on whether the company's activities are included in implementing regulations issued by FTC. GLBA defines "financial institutions" as entities that are in the business of engaging in certain financial activities.[Footnote 32] Such activities include, among other things, traditional banking services, activities that are financial in nature on the FRB list of permissible activities for financial holding companies in effect as of the date of GLBA's enactment, and new permissible activities.[Footnote 33] While new financial activities may be identified, those activities are not automatically included in FTC's definition.[Footnote 34] FTC defines "financial institutions" as businesses that are "significantly engaged" in financial activities.[Footnote 35] For example, FRB's list of "financial activities" includes not only the activity of extending credit, but also related activities such as credit bureau services.[Footnote 36] Thus, the three nationwide credit bureaus are considered financial institutions subject to GLBA.[Footnote 37] Figure 2: GLBA Privacy Provisions: [See PDF for image] Source: GAO(analysis), Art Explosion(image). [End of figure] FTC staff told us that the determination of whether a specific information reseller is a financial institution subject to GLBA depends on the specific activities of the company. They said they determine whether GLBA applies to an entity on a case-by-case basis and that it is difficult to generalize what types of information resellers are GLBA financial institutions. For example, CRAs other than the three nationwide credit bureaus may not necessarily be subject to GLBA if, for example, their activities do not fall under FRB's definition of credit bureau services or they do not otherwise engage in any financial activity included in the 1999 FRB list. Only four resellers with whom we spoke--the three nationwide credit bureaus and a specialty CRA that collects deposit account information--told us they consider themselves financial institutions subject to GLBA's privacy and safeguarding provisions. Moreover, we were told that these provisions do not apply to the entire company but rather only to those activities of the company that are deemed financial in nature. For example, one credit bureau told us that its credit reporting activities fall under GLBA, but that its marketing products, which are not deemed financial in nature, do not fall under GLBA.[Footnote 38] GLBA not only limits how financial institutions share nonpublic personal information with other companies, but it also restricts what those companies subsequently do with the information. Under GLBA's "reuse and redisclosure" provision and FTC's implementing rule, companies that receive information from a financial institution are restricted in how they further share or use that information.[Footnote 39] If a company receives information under a GLBA exception, then the reseller can only reuse and redisclose the information for activities that fall under the exception under which the information was received.[Footnote 40] Alternatively, if a company receives information from a financial institution in a way not covered by an exception-- where an individual has been provided with a GLBA notice and has chosen not to opt out of sharing--then the information may be reused and redisclosed in any way the original financial institution would have been permitted.[Footnote 41] As noted earlier, the nationwide credit bureaus sell credit header data--identifying information at the top of a credit report--to other information resellers for use in fraud prevention products. Representatives of two of the credit bureaus and their industry association told us that because credit header data contains information from financial institutions, it is subject to GLBA's reuse and redisclosure provisions. As a result, the credit bureaus can only sell credit header data under the same GLBA exception under which they received it. Credit bureau representatives said they receive the information from financial institutions under both the consumer reporting and fraud prevention exceptions, and then sell it under the fraud prevention exception. Also, some old credit header data may not be subject to GLBA at all. Prior to GLBA's enactment in 1999, credit header information sold by credit bureaus--which included names, addresses, aliases, and Social Security numbers--could be used or resold by a third party for any purpose, as long as the information was not used to make eligibility determinations. GLBA placed restrictions on the sale of such nonpublic personal information maintained by GLBA financial institutions. Further, as noted earlier, reuse and redisclosure of the information is also restricted by GLBA. The law's privacy restrictions generally became fully effective on July 1, 2001.[Footnote 42] A nationwide credit bureau told us that the restrictions did not apply retroactively to credit header data that credit bureaus already held at the time of GLBA's enactment in 1999. The nationwide credit bureau said that just prior to GLBA's enactment, it created a new database containing "pre- GLBA" credit header data and transferred those data to a separate affiliated company.[Footnote 43] The company told us that because it gathered these data prior to GLBA's enactment, the data are not subject to GLBA's privacy and safeguarding provisions. GLBA Safeguarding Provisions: The safeguarding provisions of GLBA require financial institutions to take steps to ensure the security and confidentiality of their customers' nonpublic personal information.[Footnote 44] Specifically, the agency regulations provide that financial institutions must develop comprehensive written policies and procedures to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer.[Footnote 45] Although the privacy provisions of GLBA apply broadly to financial institutions' consumers, GLBA's safeguarding requirements only establish obligations on financial institutions to protect their customer information. Only information resellers defined as financial institutions under the law are required to implement these safeguards. Several of the information resellers we spoke with noted that although GLBA does not apply to all of their products, they have policies and procedures to protect all of their information in a way consistent with GLBA's safeguarding requirements. Unlike GLBA's notice and opt-out requirements (privacy requirements), the law's safeguarding provisions do not directly extend to third-party companies that receive personal information from financial institutions. However, federal agencies' provisions implementing GLBA safeguarding rules require financial institutions to monitor the activities of their service providers and require them by contract to implement and maintain appropriate safeguards for customer information.[Footnote 46] Many commercial entities--including many information resellers--are not subject to GLBA and therefore are not explicitly required by a federal statute to have in place policies and procedures to safeguard individuals' personal data. This raises concerns given that identity theft has emerged as a serious problem and that breaches of sensitive personal data have occurred at a variety of companies that are not financial institutions. For example, in 2005, BJ's Wholesale Club, which is not considered a GLBA financial institution, settled FTC charges that it engaged in an unfair or deceptive act or practice in violation of the FTC Act by failing to take appropriate security measures to protect the sensitive information of thousands of its customers.[Footnote 47] FTC alleged that the company's failure to secure sensitive information was an unfair practice because it caused substantial injury not reasonably avoidable by consumers and not outweighed by offsetting benefits to consumers or competition. Some policymakers, consumer advocates, and industry representatives have advocated explicit statutory requirements that would expand more broadly the number and types of companies that must safeguard their data. Had there been a statutory requirement for BJ's Wholesale Club to safeguard sensitive information, FTC would have had authority to file a complaint based on the company's failure to safeguard information. Expanding the class of entities subject to safeguarding laws would impose explicit data security provisions on a larger group of organizations that are maintaining sensitive personal information. FTC has testified that should Congress enact new data security requirements, FTC's safeguards rule should serve as a model for an effective enforcement standard because it provides sufficient flexibility to apply to a wide range of companies rather than mandate specific technical requirements that may not be appropriate for all entities.[Footnote 48] To be most effective, new data security provisions would need to apply both to customer and noncustomer data because the nature of information reseller businesses is such that they hold large amounts of sensitive personal information on individuals who are not their customers. No Federal Statute Requires Notification of Data Breaches: Currently, there is no federal statute requiring information resellers or most other companies to disclose breaches of sensitive personal information, although at least 32 states have enacted some form of breach notification law.[Footnote 49] Policymakers and consumer advocates have raised concerns that federal law does not always require companies to reveal instances of the theft or loss of sensitive data. These concerns have been triggered in part by increased public awareness of the problem of identity theft and by a large number of data breaches at a wide variety of public and private sector entities, including major financial services firms, information resellers, universities, and government agencies. In 2005, ChoicePoint acknowledged that the personal records it held on approximately 162,000 consumers had been compromised. As part of a settlement with the company in January 2006, FTC alleged that ChoicePoint did not have reasonable procedures to screen prospective subscribers to its data products, and provided consumers' sensitive personal information to subscribers whose applications should have raised obvious suspicions.[Footnote 50] A December 2005 report by the Congressional Research Service noted that personal data security breaches were occurring with increasing regularity, and listed 97 recent breaches, five of which had occurred at information resellers.[Footnote 51] Data breaches are not limited to private sector entities, as evidenced by the theft discovered in May 2006 of electronic data of the Department of Veterans Affairs containing identifying information for millions of veterans. Congress has held several hearings related to data breaches, and a number of bills have been introduced that would require companies to notify individuals when such breaches occur.[Footnote 52] The bills vary in many ways, including differences in who must be notified, the level of risk that triggers a notice, the nature of the notification, exceptions to the requirement, and the extent to which federal law preempts state law. Breach notification requirements have two primary benefits. First, they provide companies or other entities with incentives to follow good security practices so as to avoid the legal liability or public relations risks that may result from a publicized breach of customer data. Second, consumers who are informed of a breach of their personal data can take actions to mitigate potential risk, such as reviewing the accuracy of their credit reports or credit card statements. However, FTC and others have noted that any federal requirements should ensure that customers receive notices only when they are at risk of identity theft or other related harm. To require notices when consumers are not at true risk could create an undue burden on businesses that may be required to provide notices for minor and insignificant breaches. It could also overwhelm consumers with frequent notifications about breaches that have no impact on them, reducing the chance they will pay attention when a meaningful breach occurs. At the same time, consumer and privacy groups and other parties have warned against imposing too weak of a trigger for notification, and expressed concerns that a federal breach notification law could actually weaken consumers' security if it were to preempt stronger state laws.[Footnote 53] FTC Has Primary Responsibility for Enforcing Information Resellers' Compliance with Privacy and Information Security Laws: The Federal Trade Commission is the federal agency with primary responsibility for enforcing applicable privacy and information security laws for information resellers. Since 1972, FTC has initiated numerous formal enforcement actions against information resellers for providing consumer report information without adequately ensuring that their customers had a permissible purpose for obtaining the data. FTC has civil penalty authority for violations of FCRA and, in limited situations, the FTC Act, but it does not have such authority for GLBA, which may inhibit its ability to most effectively enforce that law's privacy and security provisions. FTC Has Primary Federal Enforcement Authority over Information Resellers: FTC enforces the privacy and security provisions of FCRA and GLBA over information resellers. FCRA provided FTC with enforcement authority for nearly all companies not supervised by a federal banking regulator.[Footnote 54] Similarly, GLBA provided FTC with rule-making and enforcement authority over all financial institutions and other entities not under the jurisdiction of the federal banking regulators, NCUA, SEC, the Commodity Futures Trading Commission, or state insurance regulators.[Footnote 55] In addition, the FTC Act provides FTC with the authority to investigate and take administrative and civil enforcement actions against most commercial entities, including information resellers, that engage in unfair or deceptive acts or practices in or affecting commerce. According to FTC officials, an information reseller could violate the FTC Act if it mishandled personal information in a way that rose to the level of an unfair or deceptive act or practice. State regulators also play a role in enforcing data privacy and security laws. FCRA provides enforcement authority to a state's chief law enforcement officer, or any other designated officer or agency, although federal agencies have the right to intervene in any state- initiated action.[Footnote 56] In addition, GLBA allows states to enforce their own information security and privacy laws, including those that provide greater protections than GLBA, as long as the state laws are not inconsistent with requirements under the federal law. Several states, including Connecticut, North Dakota, and Vermont, have enacted restrictions on the sharing of financial information that are stricter than GLBA.[Footnote 57] States can also enforce their own laws related to unfair or deceptive acts or practices to the extent the laws do not conflict with federal law. FTC Has Investigated and Initiated Formal Enforcement Actions against Information Resellers for FCRA and FTC Act Violations: Since 1972, FTC has initiated numerous formal enforcement actions against at least 20 information resellers for violating FCRA and, in some cases, the FTC Act.[Footnote 58] All of these companies were CRAs, and they included the three nationwide credit bureaus as well as a variety of types of specialty CRAs.[Footnote 59] In most of these cases, FTC charged that the companies provided consumer report information without adequately ensuring that their customers had a permissible purpose for obtaining the data. In many cases, FTC alleged the companies sold consumer reports to users they had no reason to believe intended to use the information legally, or didn't require the users to identify themselves and certify in writing the purposes for which they wished to use the reports. In addition, some companies' reports allegedly included significant inaccuracies or obsolete information; some companies also failed to reinvestigate disputed information within a reasonable period of time.[Footnote 60] Among the most significant of these FTC enforcement actions against information resellers are the following: * In 1995, FTC settled charges with Equifax Credit Information Services, the credit bureau subsidiary of Equifax Inc., for alleged violations of FCRA. FTC alleged that the company furnished consumer reports to individuals without a permissible purpose, included derogatory information in consumer reports that should have been excluded after it was disputed by the consumer, and failed to take steps to reduce inaccuracies in reports and reinvestigate disputed information. The consent agreement required Equifax to take steps to improve the accuracy of its consumer reports and limit the furnishing of such reports to those with a permissible purpose under FCRA.[Footnote 61] * In 2000, FTC ordered the TransUnion Corporation, a nationwide credit bureau, to stop selling consumer reports in the form of target marketing lists to marketers who lack an authorized purpose under FCRA for receiving them. The company had been selling mailing lists of the names and addresses of consumers meeting certain credit-related criteria (such as having certain types of loans). FTC found that the lists were consumer reports and that the lists therefore could not be sold for target marketing purposes.[Footnote 62] * In January 2006, FTC settled charges against ChoicePoint that its security and record-handling procedures violated federal laws with respect to consumers' privacy. FTC had alleged the company violated FCRA by providing sensitive personal information to customers despite obvious indications that the information would not be used for a permissible purpose. For example, ChoicePoint allegedly approved as customers individuals who subscribed to data products for multiple businesses using fax machines in public commercial locations. FTC also charged that the company violated the FTC Act by making false and misleading statements in its privacy policy, which said it provided consumer reports only to businesses that complete a rigorous credentialing process. Under the terms of the settlement, ChoicePoint agreed to pay $10 million in civil penalties--the largest civil penalty in FTC history--and to provide $5 million in consumer redress.[Footnote 63] ChoicePoint did not admit to a violation of law in settling the charges. A company representative told us it has taken steps since the breach to enhance its customer screening process and to assist affected consumers. FTC Cannot Levy Civil Penalties for GLBA Information Privacy and Security Violations: FTC is the primary federal agency monitoring information resellers' compliance with privacy and security laws, but it is a law enforcement rather than supervisory agency. Unlike federal financial institution regulators, which oversee a relatively narrow class of entities, FTC has jurisdiction over a large and diverse group of entities and enforces a wide variety of statutes related to antitrust, financial regulation, consumer protection, and other issues. FTC's mission and resource allocations focus on conducting investigations and, unlike federal financial regulators, FTC does not routinely monitor or examine the companies over which it has jurisdiction. If FTC has reason to believe that violations of laws under its jurisdiction have taken place, it may initiate a law enforcement action. Under its statutory authority, it can ask or compel companies to produce documents, testimony, and other materials. FTC may in administrative proceedings issue cease and desist orders for unfair or deceptive acts or practices. Further, FTC generally may seek from the United States district courts a wide range of remedies, including injunctions, damages to compensate consumers for their actual losses, and disgorgement of ill-gotten funds.[Footnote 64] Depending on the law it is enforcing, FTC may also seek to obtain civil penalties--monetary fines levied for a violation of a civil statute or regulation. Although FTC has civil penalty authority for violations of FCRA and in limited situations the FTC Act, GLBA's privacy and safeguarding provisions do not give it such authority.[Footnote 65] Currently, FTC may seek an injunction to stop a company from violating these provisions and may seek redress--damages to compensate consumers for losses--or disgorgement. However, determining the appropriate amount of consumer compensation requires having information on who and how many consumers were affected and the harm, in monetary terms, that they suffered. This can be extremely difficult in the case of security and privacy violations, such as data breaches. Such breaches may lead to identity theft, but FTC staff told us that they may not be able to identify exactly which individuals were victimized and to what extent they were harmed--particularly in cases where the potential identity theft could occur years in the future. FTC could benefit from having the authority to impose civil penalties for violations of GLBA's privacy and safeguarding provisions because such penalties may be more practical enforcement tools for violations involving breaches of mass consumer data. FTC has testified that such authority is often the most appropriate remedy in such cases, and staff told us it could more effectively deter companies from violating provisions of GLBA. Unlike FTC, other regulators have civil penalty authority to enforce violations of GLBA. For example, OCC told us it can enforce GLBA privacy and safeguard provisions with civil money penalties against any insured depository institution or institution-affiliated party.[Footnote 66] Agencies Differ in Their Oversight of the Privacy and Security of Personal Information at Financial Institutions: In enforcing privacy and security requirements, federal regulators do not distinguish between the data that regulated entities obtain from information resellers and other personal information these entities maintain. Federal banking regulators have overseen compliance with the privacy and security provisions of GLBA and FCRA by issuing rules and guidance, conducting examinations, and taking formal and informal enforcement actions when needed. Securities and insurance regulators enforce GLBA information privacy and security requirements in a similar fashion, but FTC is responsible for FCRA enforcement among these firms. FTC is also responsible for GLBA and FCRA enforcement for financial services firms not supervised by another regulator and has initiated several enforcement actions, though it does not conduct routine examinations. Credit union, securities, and insurance regulators told us that unlike most of the banking regulators, they do not have full authority to examine their entities' third-party service providers, including information resellers. Financial Institutions and Their Regulators Said They Do Not Distinguish between Data from Information Resellers and Other Sources: The information privacy and security provisions of GLBA and FCRA provide several federal and state agencies with authority to enforce the laws' provisions for financial institutions. As shown in figure 3, GLBA assigns federal banking and securities regulators and state insurance regulators with enforcement responsibility for the financial institutions they oversee, and FTC has jurisdiction for all other financial institutions. FCRA similarly assigns the federal banking regulators authority over the institutions they oversee and FTC with jurisdiction over other entities.[Footnote 67] FCRA assigns FTC with enforcement responsibility for securities and insurance companies and provides securities and insurance regulators with no statutory responsibilities to enforce FCRA.[Footnote 68] Figure 3: Enforcement Responsibilities for Selected Financial Institutions under FCRA and GLBA: [See PDF for image] Source: GAO. Notes: The Commodity Futures Trading Commission, which was not identified as a functional regulator by GLBA, is nevertheless responsible for enforcing information privacy and security requirements among futures commission merchants, commodity trading advisers, commodity pool operators, and introducing brokers subject to its jurisdiction. See 7 U.S.C. § 7b-2. [A] NCUA enforces GLBA at all federally insured credit unions and FCRA at all federally chartered credit unions. FTC has enforcement authority for all other credit unions not subject to NCUA's jurisdiction. [B] SEC is responsible for enforcing GLBA compliance for investment advisers registered with SEC; FTC is responsible for enforcement at all other investment advisers. [C] FTC is responsible for enforcing FCRA at securities firms and insurance companies, but it is not a supervisory agency and does not conduct routine examinations. [End of figure] Financial regulators told us that in their oversight of companies' compliance with privacy laws, they generally do not distinguish between data obtained from information resellers versus other sources. The nonpublic personal information maintained by financial institutions includes both data they collect directly from their customers as well as data purchased from information resellers, such as credit reports or marketing lists. Banking and securities regulators told us their efforts to oversee the privacy and security of nonpublic personal information do not focus in particular on data that came from information resellers but rather look holistically at a financial institution's information security and compliance with applicable laws. For example, OCC and FRB officials said their examiners enforce the privacy and safeguarding requirements of GLBA and FCRA regardless of whether the source of the data is an information reseller, a customer, or other source. GLBA's safeguarding requirements apply only to nonpublic personal information that financial institutions maintain on their customers and not to information they maintain about other consumers (noncustomers). However, representatives of financial institutions we interviewed said that as a matter of policy, they generally apply the same information safeguards to both customer and consumer information. They said that their information safeguards focus on the sensitivity of the information rather than whether the person is a customer. For example, files containing Social Security numbers would have more stringent safeguards than those containing only names and addresses. Officials of a global investment banking and brokerage firm told us that although their firm maintains separate databases on customers and consumers targeted for marketing, both databases use the higher security standard required for customer information. Another company with similar practices noted that it treats all information with higher standards rather than setting up many different safeguarding policies and procedures. Other companies noted that public relations and reputational risk concerns motivate them to maintain high safeguards to prevent any consumer information from being lost or stolen. Similarly, federal banking regulators told us that failing to safeguard consumer information may not be a violation of GLBA but is still taken very seriously because it represents a threat to a bank's safety and soundness, poses reputational risks, and reflects a weakness in a bank's corporate governance. Federal Banking Agencies Provide Guidance and Examine Regulated Banking Organizations for GLBA and FCRA Compliance: The banking regulators responsible for GLBA and FCRA enforcement have issued regulations and other guidance on information privacy and security requirements. The individual banking regulators examine the financial institutions under their jurisdiction for compliance with GLBA and FCRA information privacy and safeguarding requirements and have taken enforcement actions for violations. Regulations and Other Guidance: The banking agencies acting jointly and individually, and in coordination with FTC, have issued regulations and other guidance for financial institutions to follow in implementing the privacy and safeguarding requirements of GLBA.[Footnote 69] In 2000, following the law's passage, the banking agencies--OCC, FRB, OTS, FDIC, and NCUA-- issued rules for compliance with the law's information privacy requirements.[Footnote 70] These rules helped financial institutions implement GLBA's notice and opt-out requirements. For example, they provided examples of types of information regulated by GLBA. In 2001, the agencies jointly issued guidelines establishing standards for GLBA's safeguarding requirements to assist financial institutions in establishing administrative, technical, and physical safeguards for customer information as required by law.[Footnote 71] In addition to the guidelines that implement GLBA safeguarding requirements, these regulators have in some cases issued guidance to provide further assistance to their institutions. For example, the banking agencies issued a guide on small entities' compliance with GLBA's privacy provision to help companies identify and comply with the requirements. The banking agencies also have issued additional written interagency guidance for financial institutions relating to notification of their customers in the event of unauthorized access to their information where misuse of the information has occurred or is reasonably possible.[Footnote 72] The banking regulators have also issued rules and regulations for their institutions to implement certain provisions of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), which amends FCRA.[Footnote 73] For example, in 2004, in coordination with FTC, these agencies issued a final rule to implement the FACT Act requirement that persons, including financial institutions, properly dispose of consumer report information and records.[Footnote 74] Some provisions--such as restrictions on how financial institutions can share data with their affiliates for marketing purposes--have yet to be finalized by the banking or other agencies. Through the Federal Financial Institutions Examination Council (FFIEC)- -a formal interagency body comprising representatives from OCC, OTS, FRB, FDIC, and NCUA that coordinates examination standards and procedures for their institutions--the banking agencies have also issued guidance to help bank examiners oversee the integrity of information technology at their institutions. For example, FFIEC developed the FFIEC IT Examination Handbook, which is composed of 12 booklets designed to help examiners and organizations determine the level of security risks at financial institutions and evaluate the adequacy of the organizations' risk management. Representatives of banking regulators say their examiners rely on these booklets in addition to the GLBA and FCRA guidance when examining the integrity of an institution's information privacy and security procedures. Some of these booklets help examiners oversee financial institutions' use of information resellers and other third-party technology service providers by addressing topics such as banks' outsourcing of technology services, or banks' supervision of its technology service providers. Financial institution regulators told us their examiners use these booklets to oversee the soundness of their institutions' technology services and to address information security issues posed by third- party technology service providers such as information resellers. Examinations and Enforcement Actions: Banking regulators regularly examine regulated banks, thrifts, and credit unions for compliance with GLBA and FCRA requirements.[Footnote 75] Each regulatory agency told us that their agencies' safety and soundness, compliance, and information technology examinations include checks on whether their institutions are in compliance with GLBA's and FCRA's provisions related to the privacy and security of personal information. For example, OCC examination procedures tell examiners to review banks' monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems. However, the scope of the regulators' reviews with regard to privacy and security matters can vary depending on the degree of risk associated with the institution examined. According to the banking agencies, their examinations of institutions' GLBA and FCRA compliance have discovered limited material deficiencies and violations requiring formal enforcement actions. Instead, they have mostly found various weaknesses that they characterized as technical in nature and required informal corrective action.[Footnote 76] FDIC officials said that between 2002 and 2005, the agency took 12 formal enforcement actions for GLBA violations and no formal enforcement actions under FCRA. They noted that FDIC has also taken informal enforcement actions to correct an institution's overall compliance management system, which covers all of the consumer protection statutes and regulations in the examination scope. According to OCC officials, between October 1, 2000, and September 30, 2005, the agency took 18 formal enforcement actions under GLBA and no formal enforcement actions under FCRA. OCC's actions in these cases resulted in outcomes such as cease and desist orders and civil money penalties levied against violators. The agency also informally required banks to take corrective action in several instances, such as requiring a bank to notify customers whose accounts may have been compromised, or requiring a bank to correct and reissue its initial privacy notice. According to OCC staff, OCC's examinations for compliance with GLBA's privacy requirements most commonly found that banks' initial privacy notices were not clear and conspicuous, and its examinations for compliance with GLBA's safeguarding requirements most commonly found cases of inadequate customer information programs, risk assessment processes, testing, and reports to the board. FRB officials said the agency has taken 12 formal enforcement actions in the past 5 years for violations of GLBA's information-safeguarding standards and no formal actions for FCRA violations. They said FRB has taken several informal enforcement actions, including three related to violations of Regulation P, which implements GLBA's privacy requirements, and five informal actions for violations of FCRA. According to FRB staff, FRB's examinations for compliance with the interagency information security standards have found cases of inadequate customer information security programs, board oversight, and risk assessments, as well as cases of incomplete assessment of physical access controls and safeguarding of the transmission of customer data. The most commonly found problem in FRB's examinations for compliance with Regulation P was banks' failure to provide clear and conspicuous initial notices of their privacy policies and procedures. With regard to FCRA compliance, the violations cited most frequently were the failure to provide notices of adverse actions based on information contained in consumer reports or obtained from third parties. Securities Regulators Oversee GLBA Compliance of Securities Firms: SEC, NASD, and NYSE Regulation oversee securities industry participants' compliance with GLBA's privacy and information safeguarding requirements. Similar to the banking agencies, they have issued rules and other guidance, conducted examinations of firms' compliance with federal securities laws and regulations, and, if appropriate, taken enforcement actions. Regulations and Other Guidance: In June 2000, SEC adopted Regulation S-P, which implements GLBA's Title V information privacy and safeguarding requirements among the broker- dealers, investment companies, and SEC-registered investment advisers subject to SEC's jurisdiction.[Footnote 77] Regulation S-P contains rules of general applicability that are substantively similar to the rules adopted by the banking agencies. In addition to providing general guidance, Regulation S-P contains numerous examples specific to the securities industry to provide more meaningful guidance to help firms implement its requirements. For example, the rule provides detailed guidance on the provision covering privacy and opt-out notices when a customer opens a brokerage account. It also contains a section regarding procedures to safeguard information, including the disposal of consumer report information.[Footnote 78] Since Regulation S-P was adopted, SEC staff have issued additional written guidance in the form of Staff Responses to Questions about Regulation S-P. According to SEC staff, companies also receive feedback on Regulation S-P compliance during the examination process, as well as during telephone inquiries made to SEC offices. However, unlike the federal banking agencies, SEC has issued no additional written guidance on institutions notifying customers in the event of unauthorized access to customer information. SEC staff said they are considering possible measures that would address information security programs in more detail, including the issue of how to respond to security breaches. Examinations and Enforcement Actions: SEC has examined registered firms for Regulation S-P compliance. SEC staff said compliance with Regulation S-P was a focus area in SEC examinations during the first 1 to 1½ years after July 2001, when it became effective. During this period, Regulation S-P compliance was reviewed in 858 broker-dealer examinations, of which 105 resulted in findings.[Footnote 79] Also, during this period, Regulation S-P compliance was reviewed in 1,174 investment adviser examinations, of which 128 resulted in findings, and 218 investment company examinations, of which 17 resulted in findings. SEC staff said that more recently SEC has adopted a risk-based approach to determine the depth of a review of compliance with Regulation S-P. Under this approach, an initial review of compliance with Regulation S- P is done to determine if a closer look is warranted. During the past 2½ years, compliance with Regulation S-P was reviewed in 1,891 investment adviser examinations, of which 301 resulted in findings, and 257 investment company examinations, of which 20 resulted in findings. SEC staff said they had not broken out separate Regulation S-P examination findings of broker-dealer examinations for this period and could not provide those numbers. They said the most common deficiencies were failure to provide privacy notices, no or inadequate privacy policy, and no or inadequate policies and procedures for safeguarding customer information. SEC staff said they had not found any deficiencies during their exams that warranted formal enforcement actions. They told us they have dealt with Regulation S-P compliance more as a supervisory matter and required registrants to resolve deficiencies without taking formal actions. SEC staff also said that SEC is now conducting a special review coordinated with NYSE Regulation looking at how broker-dealers are outsourcing certain functions that involve customer information. They said they are concerned with how registrants are managing the outsourcing process, including, among other things, due diligence in contractor selection, monitoring contractor performance, and disaster recovery/business continuity planning. NASD and NYSE Regulation Oversee Compliance of Member Broker-Dealers: NASD and NYSE Regulation also oversee Regulation S-P compliance among member broker-dealers. According to NASD officials, NASD took a two- pronged approach to ensure that its members understand their obligations under Regulation S-P and comply with its requirements. First, NASD issued guidance to its members regarding requirements of the regulation. For example, when Regulation S-P was adopted, NASD issued guidance to facilitate compliance by providing a notice designed to inform and educate its members about Regulation S-P.[Footnote 80] In the summer of 2001, NASD issued an article setting forth questions and answers regarding Regulation S-P and reminding members of the mandatory compliance deadline.[Footnote 81] In July 2005, NASD issued another notice reminding members of their obligations relating to the protection of customer information.[Footnote 82] Second, according to NASD officials, NASD conducts routine examinations--approximately 2,500 per year--to check compliance with NASD rules and the federal securities laws, including Regulation S-P. Examiners check compliance with Regulation S-P using a risk-based approach in which examiners review certain information such as supervisory review procedures to assess the controls that exist at a firm. Depending on its findings, NASD determines whether to inspect in more detail the firm's Regulation S-P policies and procedures to ensure they are reasonably designed to achieve compliance with Regulation S-P, including its safeguarding and privacy requirements. Regulation S-P compliance was reviewed in 4,760 NASD examinations of broker-dealers between October 1, 2000, and September 30, 2005. These examinations resulted in 502 informal actions and two formal actions--called Letters of Acceptance, Waiver, and Consent--for Regulation S-P violations. According to NASD, in one formal action, it censured and fined the respondents a total of $250,000 for various violations related to their failure to establish supervisory procedures and devote sufficient resources to supervision, including Regulation S-P compliance. In the other action, according to NASD, it censured and fined the firm and a principal associated person $28,500 and suspended the person for 30 days for failing to provide privacy notices to its customers and for several other non-privacy- related violations. Similarly, NYSE Regulation issued guidance on Regulation S-P to its member firms and sent its members an information memo reminding them of Regulation S-P requirements shortly before they became mandatory.[Footnote 83] NYSE Regulation's Sales Practice Review Unit conducts examinations of member firms' compliance with Regulation S-P and other privacy requirements on a 1-, 2-or 4-year cycle, or when the member firm is otherwise deemed to be at a certain level of risk. State Insurance Regulators Require Insurers to Comply with Information Privacy and Security Provisions, but Enforcement May Be Limited: GLBA designates state insurance regulators as the authorities responsible for enforcement of its information privacy and safeguarding provisions among insurance companies. The individual states are responsible for enforcing GLBA with respect to insurance companies licensed in the state, and they may issue regulations.[Footnote 84] The National Association of Insurance Commissioners (NAIC) has issued model rules to guide states in developing programs to enforce GLBA requirements and has sponsored a multistate review of insurance companies' performance in this regard. NAIC Has Developed Model GLBA Privacy and Safeguarding Rules, but Not All States Have Adopted GLBA Regulations: NAIC has developed two model rules for states to use in developing regulations or laws to implement the GLBA information privacy and safeguarding provisions among the insurance companies they regulate. The first model rule, the Privacy of Consumer Financial and Health Information Regulation, issued in 2000, includes notice and opt-out requirements relating to insurance entities, and can be used by states as models for state laws and regulations. An August 2005 NAIC analysis showed that all states and the District of Columbia had adopted insurance laws or regulations to implement GLBA's requirements related to the privacy of financial information.[Footnote 85] The second model rule, the Standards for Safeguarding Customer Information Model Regulation, issued in 2002, establishes standards for developing and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. In contrast to the privacy model, an October 2005 NAIC analysis showed that 17 states had yet to adopt a law or regulation setting standards for safeguarding customer information. In April 2002, GAO reported that insurance customer information and records in states that had not established safeguards may not be subject to a consistent level of legal protection envisioned by GLBA's privacy provisions.[Footnote 86] Individual State Insurance Regulators Have Not Consistently Examined for Privacy and Security Compliance: Individual state insurance regulators have procedures for examining companies for compliance with information privacy and safeguarding requirements, but do not routinely do so. According to an NAIC official, NAIC's Market Conduct Examiners Handbook contains detailed examination procedures for reviewing information privacy requirements and its Financial Examiners Handbook has a segment devoted to security of computer-based systems. He said the individual state regulators can examine for compliance with privacy requirements as part of their comprehensive examinations of companies, but that states are focusing less on conducting comprehensive examinations and more on targeted examinations. As a result of a lack of complaints regarding privacy matters, however, he said the states are probably doing few targeted examinations of compliance with privacy requirements. To forestall possible multiple, overlapping, and inconsistent examinations by numerous states, NAIC in 2005 sponsored a multistate review to gather information on insurance companies' compliance with GLBA privacy and safeguarding provisions. The review team, led by the District of Columbia's Department of Insurance, Securities and Banking (DISB), with the participation of 19 states, covered more than 100 of the largest insurance groups, representing about 800 insurance companies operating in the United States.[Footnote 87] The review team administered a survey questionnaire, reviewed each insurer's responses to the questionnaire, and subsequently held conferences with representatives of the insurer. The review resulted in: * 22 findings related to the risk assessment process, including failure to work toward a formalized assessment process to identify risks of internal and external threats and hazards to the safeguarding, confidentiality, and integrity of information; * 18 findings related to GLBA's requirements for information storage, transmission, and integrity; * 16 findings related to the delivery of privacy notices (although 12 of those findings related to the provision of the initial notice rather than recurring findings); and: * no findings related to GLBA procedures for providing opt-out notifications or procedures for collecting opt-out elections. These findings were similar to those of other financial regulators' examinations of GLBA compliance. However, unlike the other regulators, state insurance regulators do not have comparable examination programs to follow up to ensure that such findings are corrected and do not become more numerous. The DISB qualified the scope of its survey by noting that it did not include (1) a review of the insurer's efforts with respect to remediation activities, (2) a detailed analysis of the effectiveness of the insurer's plans to correct privacy problems or to protect the business against the consequences associated with any privacy-related occurrences, or (3) a determination of steps the insurer must take to become privacy compliant or maintain privacy compliance. Although this survey was not a substitute for regulatory examination of insurers' compliance with GLBA, it could serve as a basis for further examination of such compliance. Other financial regulators have gathered preliminary information that they then use as a basis for further examinations of regulated entities. For example, in 2003, SEC followed up on reports of abusive practices in mutual fund trading by requesting information from various mutual fund companies on these trading practices, and this served as a basis for further examinations of individual companies. According to NAIC officials, the DISB survey results were never reviewed by state insurance regulators as part of their examinations of insurance companies. NAIC officials said the survey results were reviewed by NAIC's Market Analysis Working Group and referred back to DISB to determine what, if any, additional follow- up was necessary. DISB staff told us that most state insurance regulators, as well as DISB, do not have staff with adequate expertise to actually examine insurers' information privacy and safeguarding programs. They said the states would have to contract with vendors to obtain this expertise. FTC Enforces GLBA and FCRA Compliance of Financial Institutions within Its Jurisdiction: As discussed earlier, FTC enforces GLBA for financial institutions not otherwise assigned to the enforcement authority of another regulator, and enforces FCRA for the same entities and others, including securities firms and insurance companies. FTC has issued rules implementing GLBA and FCRA information privacy and safeguarding requirements and developed other materials that provide detailed guidance for companies to implement the requirements. FTC issued two rules--referred to as the Privacy Rule and the Safeguards Rule--to implement GLBA's requirements for financial institutions not covered by similar regulations issued by the financial institution regulators. These rules provide examples to clarify things such as what constitutes a customer relationship and what types of information are covered under the law's sharing restrictions. FTC has also issued rules to implement the FACT Act amendments to FCRA, although some rules have not yet been issued in final form.[Footnote 88] FTC provides additional guidance to financial institutions on how to comply with GLBA and FCRA in the form of business alerts, fact sheets, frequently asked questions, and a compliance guide for small businesses. For example, FTC has issued alerts on safeguarding customers' personal information, disposing of consumer report information, and insurers' use of consumer reports. Between 2003 and 2005, FTC took enforcement actions against at least seven financial service providers for violations of GLBA information privacy and safeguarding requirements, resulting in settlement agreements with: * an Internet mortgage lender accused of false advertising and failure to protect sensitive consumer information; * a credit card telemarketer that allegedly failed to notify consumers of its privacy practices and obtained information from consumers under false pretenses; * two or more mortgage lenders charged with failing to protect consumers' personal information; and: * three nonprofit debt management organizations accused of failing to notify consumers how their personal information would be used, and other violations.[Footnote 89] NCUA, Securities, and Insurance Regulators Do Not Have Full Authority to Examine Third-Party Vendors, Including Information Resellers: As part of their bank examinations, FRB, FDIC, OCC, and OTS have authority to examine third-party service providers, such as some information resellers with which banks may do business.[Footnote 90] Technology service provider examinations are done under the auspices of FFIEC and coordinated with other regulators.[Footnote 91] Some vendors may be examined routinely; for example, officials of one information reseller providing services to banks told us that it is subject to periodic examinations under the auspices of FFIEC. In other cases, a service provider may be examined only once for a particular purpose. For example, OCC and FDIC examiners visited Acxiom, which provides a number of banks with information services, such as analyzing and enhancing customer information for marketing purposes. The examiners' visit focused on a security breach in which a client was granted access to information files obtained from other clients. According to Acxiom officials, this was a one-time review of the breach that occurred in its computer services operations and did not result in the company being added to a list of technology service providers that banking regulators routinely review. Unlike the banking regulators, NCUA does not have authority to examine the third-party service providers of credit unions, including information resellers.[Footnote 92] In 2003, we reported that credit unions increasingly rely on third-party vendors to support technology- related functions such as Internet banking, transaction processing, and fund transfers.[Footnote 93] With greater reliance on third-party vendors, credit unions subject themselves to operational and reputational risks if they do not manage these vendors appropriately. While NCUA has issued guidance regarding the due diligence credit unions should apply to third-party vendors, the agency has no enforcement powers to ensure full and accurate disclosure. As such, in 2003 we suggested that Congress consider providing NCUA with legislative authority to examine third-party vendors, and NCUA has also requested such authority from Congress. However, an NCUA official told us that few of these vendors are information resellers because credit unions typically do not use them to a great extent. He said that credit unions generally use methods other than resellers to comply with PATRIOT Act customer identification requirements, and credit unions' bylaws typically forbid sharing customers' personal financial information for marketing purposes. Similarly, federal securities regulators and representatives of state insurance regulators told us they generally do not have authority to examine or review the third-party service providers of the firms they oversee, including information resellers. According to SEC staff, the agency can examine the third-party vendor only if the firm also is an SEC-registered entity over which the agency has examination authority. However, they said that, to date, SEC has not seen sufficient problems with third-party vendors to justify requesting the authority to examine them at this time. They noted that in their examinations, they hold entities accountable for ensuring that personal information is appropriately safeguarded whether the information is managed in-house or by a vendor. Similarly, NASD officials said that although they do not have jurisdiction to oversee third-party vendors, their examiners review member firms' procedures for monitoring contractors, including whether such contracts contain clauses ensuring the privacy and security of customer information. In July 2005, NASD issued a Notice to Members reminding them that when they outsource certain activities as part of their business structure, they must conduct a due diligence analysis to ensure that the third-party service provider can adequately perform the outsourced functions and comply with federal securities laws and NASD rules.[Footnote 94] Similarly, NYSE Regulation examinations review third-party contracts to ensure that they contain confidentiality clauses prohibiting the contractor from using or disclosing customer information for any use other than the purposes for which the information was provided to the contractor. NYSE Regulation has proposed a rule governing its members' use of contractors, which, if adopted, will require member firms to follow certain steps in selecting and overseeing contractors, such as applying prescribed due diligence standards and the record-keeping requirements of the securities laws[Footnote95]. State insurance regulators generally do not have authority to examine information resellers and other third-party service providers. NAIC officials told us that state insurance regulators can only examine information resellers or other companies if they are registered as rating organizations--companies that collect and analyze statistical information to assist insurance companies in their rate-making process. For example, NAIC said state insurance regulators can examine ISO--one of the resellers included in our review--because it is registered with states as a rating organization. Conclusions: Advances in information technology and the computerization of records have spawned the growth of information reseller businesses, which regularly collect, process, and sell personal information about nearly all Americans. The information maintained by resellers commonly includes sensitive personal information, such as purchasing habits, estimated incomes, and Social Security numbers. The expansion in the past few decades in the sale of personal information has raised concerns about both personal privacy and data security. Many consumers may not be aware how much of their personal information is maintained and how frequently it is disseminated. In addition, identity theft has emerged as a serious problem, and data security breaches have occurred at some major resellers. At the same time, however, information resellers also provide some important benefits to both individuals and businesses. Financial institutions rely heavily on these resellers for a variety of vital purposes, including credit reporting (which reduces the cost of credit), PATRIOT Act compliance, and fraud detection. As Congress weighs various legislative options, it will need to consider the appropriate balance between protecting consumers' privacy and security interests and the benefits conferred by the current regime that allows a relatively free flow of information between companies. No federal law explicitly requires all information resellers to safeguard all of the sensitive personal information they may hold. As we have discussed, FCRA applies only to consumer information used or intended to be used to help determine eligibility, and GLBA's safeguarding requirements apply only to customer data held by GLBA- defined financial institutions. Much of the personal information maintained by information resellers that does not fall under FCRA or GLBA is not necessarily required by federal law to be safeguarded, even when the information is sensitive and subject to misuse by identity thieves. Given financial institutions' widespread reliance on information resellers to comply with legal requirements, detect fraud, and market their products, the possibility for misuse of this sensitive personal information is heightened. Requiring information resellers to safeguard all of the sensitive personal information they hold would help ensure that explicit data security requirements apply more comprehensively to a class of companies that maintains large amounts of such data. Further, although the scope of this report focused on information resellers, this work has made clear to us that a wide range of retailers and other entities also maintain sensitive personal information on consumers. As Congress considers requiring information resellers to better ensure that all of the sensitive personal information they maintain is safeguarded, it may also wish to consider the potential costs and benefits of expanding more broadly the class of entities explicitly required to safeguard sensitive personal information. Any new safeguarding requirements would likely be more effectively implemented and least burdensome if, as with FTC's Safeguards Rule, they provided sufficient flexibility to account for the widely varying size and nature of businesses that hold sensitive personal information. The proliferation of sensitive personal information in the marketplace and increasing numbers of high-profile data breaches have motivated many states to enact data security laws with breach notification requirements. No federal statute currently requires breach notification, but such legislation could have certain benefits. Companies would have incentives to improve data safeguarding to reduce the reputational risk of a publicized breach, and consumers would know to take potential action against a risk of identity theft or other related harm. Congress has held many hearings related to data breaches, and several bills have been introduced that would require breach notification. We support congressional actions to require information resellers, and other companies, to notify individuals when breaches of sensitive information occur. In previous work, we have also identified key benefits and challenges of notifying the public about security breaches that occur at federal agencies. To be cost effective and reduce unnecessary burden on consumers, agencies, and industry, it would be important for Congress to identify a threshold for notification that would allow individuals to take steps to protect themselves where the risk of identity theft or other related harm exists, while ensuring they are only notified in cases where the level of risk warrants such action. Objective criteria for when notification is required and appropriate enforcement mechanisms are also important considerations. Congress should also consider whether and when a federal breach notification law would preempt state laws. FTC has taken many significant enforcement actions against information resellers and other companies that have violated federal privacy laws, and it is important that the agency have the appropriate enforcement remedies. Unlike FCRA, GLBA does not provide FTC with civil penalty authority, and agency staff have expressed concerns that the remedies FTC has available under GLBA--such as disgorgement and consumer redress--are impractical enforcement tools for violations involving breaches of mass consumer data. Providing FTC with the authority to seek civil penalties for violations of GLBA could help the agency more effectively enforce that law's safeguarding provisions. Federal financial regulators generally appear to provide suitable oversight of their regulated entities' compliance with privacy and information security laws governing consumer information. The regulators do not typically distinguish between data that entities receive from resellers and other sources, but this seems reasonable given that the sensitivity, rather than the source, of the data is the most important factor in examining data security practices. However, state insurance regulators do not have comparable examination programs to other financial regulators to ensure consistent GLBA compliance. This may be a source of concern given the recent multistate survey that identified deficiencies in GLBA compliance at insurance companies. Matters for Congressional Consideration: Safeguarding provisions of FCRA and GLBA do not apply to all sensitive personal information held by information resellers. To ensure that such data are protected on a more consistent basis, Congress should consider requiring information resellers to safeguard all sensitive personal information they hold. As Congress considers how best to protect data maintained by information resellers, it should also consider whether to expand more broadly the class of entities explicitly required to safeguard sensitive personal information. If Congress were to choose to expand safeguarding requirements, it should consider providing the implementing agencies with sufficient flexibility to account for the wide range in the size and nature of entities that hold sensitive personal information. To ensure that the Federal Trade Commission has the tools it needs to most effectively act against data privacy and security violations, Congress should consider providing the agency with civil penalty authority for its enforcement of the Gramm-Leach-Bliley Act's privacy and safeguarding provisions. Recommendation for Executive Action: We recommend that state insurance regulators, individually and in concert with the National Association of Insurance Commissioners, take additional measures to ensure appropriate enforcement of insurance companies' compliance with the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act. As a first step, state insurance regulators and NAIC should follow up appropriately on deficiencies related to compliance with these provisions that were identified in the recent nationwide survey as part of a broader targeted examination of GLBA privacy and safeguarding requirements. Agency Comments: We provided a draft of this report to FDIC, FRB, FTC, NAIC, NASD, NCUA, NYSE Regulation, OCC, OTS, and SEC for comment. These agencies provided technical comments, which we incorporated, as appropriate. In addition, FTC provided a written response, which is reprinted in appendix III. In its response, FTC noted that it has previously recommended that Congress consider legislative actions to increase the protection afforded personal sensitive data, including extending GLBA safeguarding principles to other entities that maintain sensitive information. FTC also noted that it concurs with our finding that a civil penalty often is the most appropriate and effective remedy in cases under GLBA privacy and safeguarding provisions. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from the report date. At that time, we will provide copies to other interested congressional committees, as well as the Chairman of the Board of Governors of the Federal Reserve System, the Acting Chairman of the Federal Deposit Insurance Corporation, the Chairman of the Federal Trade Commission, the President of the National Association of Insurance Commissioners, the Chairman and Chief Executive Officer of NASD, the Chairman of the National Credit Union Administration, the Chief Executive Officer of New York Stock Exchange Regulation, the Comptroller of the Currency, the Director of the Office of Thrift Supervision, and the Chairman of the Securities and Exchange Commission. We will also make copies available to others upon request. In addition, the report will be available at no charge on GAO's Web site at [Hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-8678 or jonesy@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Signed by: Yvonne D. Jones: Director, Financial Markets and Community Investment: [End of section] Appendix I: Scope and Methodology: Our report objectives were to examine (1) how financial institutions use data products supplied by information resellers, the types of information contained in these products, and the sources of the information; (2) how federal laws governing the privacy and security of personal data apply to information resellers, and what rights and opportunities exist for individuals to view and correct data held by resellers; (3) how federal financial institution regulators and the Federal Trade Commission (FTC) oversee information resellers' compliance with federal privacy and information security laws; and (4) how federal financial institution regulators, state insurance regulators, and FTC oversee financial institutions' compliance with federal privacy and information security laws governing consumer information, including information supplied by information resellers. For the purposes of this report, we defined "information resellers" broadly to refer to businesses that collect and aggregate personal information from multiple sources and make it available to their customers. The three nationwide credit bureaus were included in this definition. Our audit work focused primarily on larger information resellers and did not cover smaller Internet-based resellers because these companies were rarely or never used by financial institutions from which we collected information. Our scope was limited to resellers' use and sale of personal information about individuals; it did not include other information that resellers may provide, such as data on commercial enterprises. Our review of financial institutions covered the banking, securities, property and casualty insurance, and consumer lending and finance industries, but excluded life insurance and health insurance companies because they use health data that are covered by federal laws that were outside the scope of our work. In addition, we included financial institutions' use of reseller information for purposes related to customers and other consumers, but excluded their use of reseller products for screening their own employees or making business decisions such as where to locate a facility. To address all of the objectives, we interviewed or received written responses from 10 information resellers--Acxiom, eFunds, ChoicePoint, Equifax, Experian, LexisNexis, ISO, Regulatory DataCorp, Thompson West, and TransUnion. We also reviewed marketing materials, sample contracts, sample reports, and other items from these companies that provided detailed information on the data contained in their products. These companies were selected because, according to the financial institutions, trade associations, and industry experts we spoke with, they constitute most of the largest and most significant information resellers offering services to the financial industry sector, and collectively they represent a variety of different products. The information resellers we included and the products they offer do not necessarily represent the full scope of the industry. We also spoke with representatives of the Consumer Data Industry Association and the Direct Marketing Association, trade associations that represent portions of the information reseller industry. To determine how financial institutions use data products supplied by information resellers and the types and sources of the data, we also interviewed or received written responses, and collected and analyzed documents, from knowledgeable representatives at financial institutions in the banking, securities, property and casualty insurance, and consumer lending and finance industries. We gathered information from Bank of America, Citigroup, and JPMorgan Chase, which are the three largest U.S. bank holding companies by asset size, as well as Goldman Sachs, Morgan Stanley, and Merrill Lynch, which are the three largest global securities firms by revenue. We also interviewed representatives at American International Group, State Farm, and Allstate, which are the three largest U.S. insurance companies and include the two largest property/casualty insurers. We also interviewed representatives at GE Consumer Finance, one of the world's 10 largest consumer finance companies, and four other financial institutions-- American Express, Wells Fargo Financial, Security Finance, and Check into Cash--which together offer a variety of consumer lending products, including automobile financing, credit cards, and payday loans. We also interviewed officials at trade associations representing these financial services industries, including the American Bankers Association, Independent Community Bankers of America, Securities Industry Association, Investment Company Institute, American Insurance Association, and American Financial Services Association. These financial institutions from which we gathered information conduct a significant portion of the transactions in the financial services sector. For example, they collectively own 9 of the 50 largest commercial depository institutions, holding about 20 percent of total domestic deposits, as well as 8 of the 10 largest credit card issuers. The insurance companies we spoke with represent about a quarter of the U.S. property and casualty insurer market share. In most cases, we selected these financial institutions by determining the largest companies in each of the four industries, based on data from reputable sources. In two cases, we spoke with firms because they were recommended by representatives of their trade association. Our findings on how financial institutions use information resellers are not representative of the entire financial services industry. However, we believe they accurately represent institutions' use of resellers because our findings from discussions with these companies and their representatives were corroborated by discussions with information resellers, regulators, legal experts, and privacy and consumer advocacy groups. To identify how federal privacy and data security laws and regulations apply to information resellers and individuals' rights and opportunities to view and correct reseller data, we reviewed and analyzed relevant federal laws, regulations, and guidance. We also met with staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision, and Securities and Exchange Commission, as well as the National Association of Insurance Commissioners (NAIC), NASD (formerly known as the National Association of Securities Dealers), New York Stock Exchange Regulation (NYSE Regulation), and the District of Columbia's Department of Insurance, Securities and Banking (DISB). In addition, we interviewed three legal experts in the area of privacy law that work in academia or represent financial institutions and information resellers. We also interviewed and collected documents from information resellers, financial institutions, federal regulators, and a variety of privacy and consumer advocacy groups, to gather views on the applicability of laws to information resellers and the adequacy of existing laws. To describe how regulators oversee information resellers' and financial institutions' compliance with federal privacy and data security laws, we met with the federal agencies, financial institutions, information resellers, and other parties listed above. We also reviewed federal agencies' guidance, examination procedures, settlement agreements, and other documents, as well as relevant reports and documents from NAIC, NASD, and NYSE Regulation. To help illustrate regulators' examination activities in this area, we also met with OCC staff who conduct examinations at three national banks and reviewed their examination workpapers. We also gathered data from regulators about the number and nature of examination findings, where applicable. To describe the efforts of state insurance regulators to oversee insurance companies' compliance with the Gramm-Leach-Bliley Act (GLBA), we also reviewed the DISB survey report of insurance companies' implementation of GLBA policies and procedures. DISB used the survey responses to determine findings for each company on the level of compliance with GLBA and related NAIC model rule provisions. The DISB review defined a "finding" as an occurrence of a perceived gap between a company's privacy practices and procedures and the guidelines outlined in one of the model acts or regulations of NAIC. The findings were derived from responses to the survey questions. The companies DISB surveyed comprised major companies, including property and casualty insurance groups with 2002 gross written premiums of approximately $250 million or more; life insurance groups with 2002 gross written premiums of approximately $200 million or more; and health insurance groups with 2002 gross written premiums of approximately $500 million or more. This initial list contained 129 insurance groups. After the initial list was compiled, 26 groups were exempted from the survey examination for one of three reasons: (1) there was a prior, ongoing, or upcoming examination of the group that included (or would include) a comprehensive review of the group's privacy policy (23 groups); (2) the group engaged primarily or solely in reinsurance (2 groups); or (3) the state insurance regulator for the company's state of domicile requested that the group be exempted (1 group). The survey questionnaire included 93 questions asking for detailed documentary and testimonial evidence of companies' level of compliance with GLBA and related NAIC model rule provisions. We conducted our review from June 2005 through May 2006 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Sample Information Reseller Reports: This appendix provides examples of reports from different types of products sold by information resellers. These sample reports, which are reprinted with permission, contain fictitious data and have also been redacted to reduce possible coincidental references to actual people or places. Sample Insurance Claims History Report: This sample insurance claims history report from ChoicePoint provides insurers with insurance claims histories on individuals applying for coverage. Figure 4: Sample Insurance Claims History Report: [See PDF for image] Source: ChoicePoint. [End of figure] Sample Deposit Account History Report: ChexSystems, a subsidiary of eFunds, offers a product that assesses risks associated with individuals applying to open new deposit accounts. The report includes information on an applicant's account history, including accounts closed for reasons such as overdrafts, returned checks, and check forgery. The report may include a numeric score representing the individual's estimated risk. Figure 5: Sample Deposit Account History Report: [See PDF for image] Source: eFunds. [End of figure] Sample Identity Verification and OFAC Screening Report: ISO, a company that provides information services to insurance companies, offers this product for screening new customers and verifying their identities. It provides a "pass" or "fail" response to indicate whether information provided by the applicant matches information maintained by the company. Figure 6: Sample Identity Verification and OFAC Screening Report: [See PDF for image] Source: ISO. [End of figure] Sample Fraud Investigation Report: Below are selected excerpts from a sample report of ChoicePoint's AutoTrack XP product, which helps users such as corporate fraud investigators and law enforcement agencies conduct investigations, locate individuals and assets, and verify physical addresses. Figure 7: Sample Fraud Investigation Report: [See PDF for image] Source: ChoicePoint. [End of figure] [End of section] Appendix III: Comments from the Federal Trade Commission: Federal Trade Commission: Washington, D .C. 20580: The Chairman: June 2, 2006: Ms.Yvonne Jones: Director, Financial Markets and Community Investment: Government Accountability Office: Washington, D.C. 20548: Dear Ms. Jones: The Commission is pleased to have the opportunity to comment on the Government Accountability Office's draft report entitled: Personal Information: Key Federal Privacy Laws Do Not Require Information Resellers to Safeguard all Sensitive Data (GAO-06-674). ("Report") The Report describes the sources of consumer personal data, how different entities use or reuse the data, and the statutory provisions that govern the collection, use, and reuse of sensitive personal information. The Report also explains how banking regulators, the Securities and Exchange Commission, and the Federal Trade Commission ("FTC") oversee compliance with the privacy and safeguarding provisions of the Gramm-Leach-Bliley Act ("GLBA"), and describes the FTC's enforcement of the Fair Credit Reporting Act ("FCRA") with respect to information resellers. The Report concludes that "[n]o federal law explicitly requires all information resellers to safeguard all the sensitive personal information they may hold." It also finds that entities other than infornation resellers hold sensitive personal information. We understand that the agencies' staffs worked cooperatively throughout the preparation of this report and that FTC staff has provided infonnal technical comments on the draft of the Report to the GAO staff, the vast majority of which have been incorporated. The Report makes several legislative recommendations, two of which the Commission supports, and one on which the Commission has no opinion. First, the Report recommends that Congress consider requiring information resellers to safeguard all sensitive personal information they hold, and suggests that Congress consider the benefits and costs of expanding the class of entities explicitly required to safeguard sensitive personal information. (Report at 42) The FTC similarly has recommended that Congress consider legislative actions to increase the protection afforded sensitive personal data. In its June 2005 testimony before the Senate Committee on Commerce, Science, and Transportation on data breaches and identity theft, the Commission recommended that Congress consider extending the GLBA safeguards principles, which require financial institutions to implement procedures to protect consumer financial information, to other entities that maintain sensitive information.[Footnote 96] Second, the Report recommends that Congress consider authorizing the FTC to seek civil penalties for violations of the GLBA privacy and safeguarding provisions. In its testimony to the Senate Committee cited above, the Commission noted that a civil penalty often is the most appropriate and effective remedy in cases under those provisions[Footnote 97]. The Commission thus agrees with the Report's recommendation. Finally, the Report recommends that state regulators ensure compliance with GLBA in its oversight of insurance companies. Although the Commission does not have an opinion regarding state oversight of insurance companies, the Commission agrees with GAO's conclusion that insurance companies often hold sensitive personal data. Protecting the privacy and security of personal information collected or sold by data brokers and others is one of the Commission's highest priorities. The Commission will continue to monitor this area and will take law enforcement action when appropriate against entities that fail to protect properly sensitive consumer data[Footnote 98]. Further, the Commission encourages consumers to understand their rights under the FCRA and GLBA, and to take appropriate measures to protect their data. We have developed an array of consumer education materials for these purposes, which are available online at [Hyperlink, http://www.ftc.gov]. The Commission appreciates this opportunity to review and comment on GAO's Report. By direction of the Commission. Signed by: Deborah Platt Majoras: Chairman: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Yvonne D. Jones, (202) 512-8678 or jonesy@gao.gov: Staff Acknowledgments: In addition to the contact named above, Jason Bromberg, Assistant Director; Katherine Bittinger; David Bobruff; Randy Fasnacht; Evan Gilman; Marc Molino; David Pittman; Linda Rego; and David Tarosky made key contributions to this report. FOOTNOTES [1] This report uses "information resellers" to describe businesses that collect and resell personal information, but there is no one commonly agreed-upon term for such companies. FTC has sometimes used the term "data brokers" but the companies themselves typically use other terms, such as "information solutions providers." [2] The Fair Credit Reporting Act, Pub. L. No. 90-321, title VI (May 29, 1968) as added by Pub. L. No. 91-508, title VI, § 601, 84 Stat. 1128 (Oct. 26, 1970) (codified at 15 U.S.C. § 1681-1681x); and Title V of the Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999), Pub. L. No. 106-102, title V, subtitle A, 113 Stat. 1338 (Nov. 12, 1999) (codified at 15 U.S.C. § 6801-6809). As discussed later in this report, other federal laws--such as the Driver's Privacy Protection Act of 1994 and the Health Insurance Portability and Accountability Act of 1996--also govern the use and sharing of certain types of personal information. [3] For more information about Internet resellers, see GAO, Social Security Numbers: Internet Resellers Provide Few Full SSNs, but Congress Should Consider Enacting Standards for Truncating SSNs, GAO-06- 495 (Washington, D.C.: May 17, 2006). [4] We use "nationwide credit bureau" and "nationwide consumer reporting agency" interchangeably in this report, and they have the same meaning as the FCRA phrase "consumer reporting agency that compiles and maintains files on consumers on a nationwide basis." FCRA defines this phrase as a consumer reporting agency that regularly engages in the practice of assembling or evaluating, and maintaining public record information and credit account information for the purpose of furnishing consumer reports to third parties bearing on a consumer's credit worthiness, credit standing, or credit capacity. 15 U.S.C. § 1681a(p). [5] For information about federal agencies' use of information resellers, see GAO, Personal Information: Agency and Reseller Adherence to Key Privacy Principles, GAO-06-421 (Washington, D.C.: Apr. 4, 2006). [6] Credit header data are the nonfinancial identifying information located at the top of a credit report, such as name, current and prior addresses, telephone number, and Social Security number. [7] This report focuses on how financial institutions use data from information resellers in conducting transactions with consumers. We did not review other ways that financial institutions use information resellers, such as to screen their potential employees or to gather information about other businesses. [8] The three nationwide credit bureaus use software models developed by the Fair Isaac Corporation to produce FICO® credit scores, which are credit scores used by many financial services firms. In March 2006, the bureaus announced they will begin selling a new credit score that they developed jointly. The score will be calculated the same way for each credit bureau to enhance consistency among all three bureaus. [9] A nationwide specialty CRA is defined in FCRA to mean a CRA that compiles and maintains files on consumers on a nationwide basis relating to medical records or payments; residential or tenant history; check-writing history; employment history; or insurance claims. 15 U.S.C. § 1681a(w). [10] Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001, Pub. L. No. 107-56, 115 Stat. 272 (Oct. 26, 2001). We will refer to the act as the PATRIOT Act. [11] Title III of the PATRIOT Act (cited as the "International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001") amended the U.S. government's anti-money laundering regulatory structure. For instance, section 326 added new requirements for the Secretary of the Treasury and the federal financial regulators to issue regulations setting forth minimum standards for financial institutions to (1) verify the identity of persons seeking to open an account; (2) maintain records of the information used to verify a person's identity, including name, address, and other identifying information; and (3) consult lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on the list. See 31 U.S.C. § 5318(l). Section 326 requirements for customer verification apply to financial institutions broadly, including, among others, financial institutions that are subject to regulation by one of the federal banking regulators, as well as nonfederally insured credit unions, private banks and trust companies; securities broker-dealers; futures commission merchants and introducing brokers; and mutual funds. 31 U.S.C. § 5312 and 31 C.F.R. § Part 103. [12] A manufacturer may request that consumers submit their contact information on a warranty card in the event of a product malfunction or insurance claim. For marketing purposes, many warranty cards request additional information on such things as the gender and age of household occupants, occupation and income information, spending habits, and lifestyle interests; this information is sometimes sold to information resellers. [13] The Fair Credit Reporting Act, described in more detail below, generally permits prescreening only if the financial institution makes a firm offer of credit or insurance for all consumers who meet the criteria for the credit or insurance being offered. 15 U.S.C. § 1681b(c)(1)(B). [14] This report focuses on the use and sharing of personal information among private sector entities, and therefore we only describe laws governing these entities. Other laws, primarily the Privacy Act of 1974, govern the collection and use of personal information by government agencies. See Pub. L. No. 93-579, 88 Stat. 1896 (Dec. 31, 1974), codified at 5 U.S.C. § 552a. [15] The Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, § 262, 110 Stat. 1936 (Aug. 21, 1996), codified at 42 U.S.C. §§ 1320d - 1320d-8, protects the privacy of individually identifiable health information. The scope of this work did not include the collection and use of health information. [16] Pub. L. No. 103-322, title XXX, 108 Stat. 2099 (Sept. 13, 1994) (codified at 18 U.S.C. §§ 2721 - 2725). [17] 18 U.S.C. § 2721(b)(11). [18] Pub. L. No. 63-203, ch. 311, 38 Stat. 717 (Sept. 26, 1914) (codified at 15 U.S.C. §§ 41 - 58). [19] See 12 U.S.C. § 1867 (FRB, FDIC, and OCC); and 12 U.S.C. § 1464(d)(7) (OTS). [20] Although the scope of this report is limited to federal privacy and data security laws, many states have laws of their own that apply to the activities of information resellers. Many of these laws require companies to notify consumers when their personal data may have been lost or stolen. For example, in 2002, California enacted a database breach notification act (Cal. Civ. Code § 1798.82), which requires disclosure of any security breach of data to any state resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. [21] FCRA defines a "consumer report" as "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under [15 U.S.C. § 1681b]." 15 U.S.C. § 1681a(d)(1). [22] Pub. L. No. 108-159, 117 Stat. 1952 (Dec. 4, 2003) (codified at 15 U.S.C. §§ 1681c-1, 1681c-2, 1681x, 1681s-3, 1681w). [23] We did not determine which information reseller databases are subject to FCRA. The information we include is based on what information resellers told us about how FCRA applies to their activities. [24] Consumers also have the right to receive a free copy of their credit file from CRAs when they have been victims of identity theft or are subject to an adverse action as a result of information in their file, or in certain other circumstances where they are unemployed, recipients of public welfare, or have reason to believe that their file contains inaccurate information due to fraud. [25] FCRA also provides certain other opt-out rights concerning affiliate sharing. See 15 U.S.C. §§ 1681a(d)(2)(iii); and 1681s-3. In addition to FCRA, GLBA requires that financial institutions allow their customers to opt out of the sharing of their nonpublic personal information with nonaffiliated companies, unless the sharing falls under an exception under GLBA. See 15 U.S.C. § 6802. [26] 16 C.F.R. § 610.2. [27] 16 C.F.R. § 610.3. [28] 15 U.S.C. § 6802. [29] See 15 U.S.C. § 6809(9). GLBA defines a consumer as "an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes." Thus, GLBA does not apply to a business customer, such as a sole proprietor. 16 C.F.R. § 313.3(e). A "customer" means a consumer who has a "customer relationship"--that is, a continuing relationship with the financial institution. [30] 15 U.S.C. § 6802(e)(3)(B) and (6). [31] 15 U.S.C. § 6802(e)(1)(A). [32] 15 U.S.C. § 6809(3)(A). [33] 12 U.S.C. § 1843(k). This is a list of nonbanking activities determined by FRB as of the date of GLBA's enactment to be "so closely related to banking or managing or controlling banks as to be a proper incident thereto." See 12 C.F.R. § 225.28 (1999). FDIC, FRB, NCUA, OCC, OTS and SEC in their implementing GLBA regulations define the term "financial institution" as those institutions in the business of engaging in activities that are financial in nature or incidental to such financial activities. See 12 C.F.R. §§ 40.3(k)(1) (OCC), 216.3(k)(1) (FRB), 332.3(k)(1) (FDIC), 573.3(k)(1) (OTS), and 716.3(l)(1) (NCUA); and 17 C.F.R. § 248.3(n)(1) (SEC). See 16 C.F.R. § 313.3(k)(1) (FTC). [34] 16 C.F.R. § 313.18(a)(2); and 65 Fed. Reg. 33646, 33654 (May 24, 2000). [35] 16 C.F.R. §§ 313.3(k)(1) and (3)(iv). [36] 12 C.F.R. § 225.28(b)(2)(v) (1999). FRB described credit bureau services as those services "maintaining information related to the credit history of consumers and providing the information to a credit grantor who is considering a borrower's application for credit or who has extended credit to the borrower." [37] See Trans Union LLC v. FTC, 295 F.3d 42, 48 (D.C. Cir. 2002); and 16 C.F.R. § 313.3(k). [38] A representative of the company noted that, as required by law, the data used for these two products are kept in separate databases that are not commingled. [39] 16 C.F.R. § 313.11 (FTC); see also 12 C.F.R. §§ 40.11 (OCC), 216.11 (FRB), 332.11 (FDIC), 573.11 (OTS), and 716.11 (NCUA); and 17 C.F.R. § 248.11 (SEC). The regulations were upheld in Individual Reference Services Group, Inc. v. FTC, 145 F. Supp.2d 6, 34 - 35 (D. DC 2002) ("the use restrictions affirmatively imposed by the Regulations are consistent with the purpose of the GLB Act"). [40] The FTC regulation states: "[y]ou may disclose and use the information pursuant to [a GLBA exception] in the ordinary course of business to carry out the activity covered by the exception under which you received the information." 16 C.F.R. § 313.11(a)(1)(iii). [41] See 15 U.S.C. § 6802(c), which states: "[A] nonaffiliated third party that receives from a financial institution nonpublic personal information . . . shall not . . . disclose such information to any other person that is a nonaffiliated third party of both the financial institution and such receiving third party, unless such disclosure would be lawful if made directly to such other person by the financial institution." This provision is commonly referred to as GLBA's reuse and redisclosure provision. See 16 C.F.R. § 313.11(b)(1)(iii). [42] See 15 U.S.C. § 6801 note. [43] The company said that it does not allow information collected for its FCRA-regulated database to be used to update the "pre-GLBA" database. [44] 15 U.S.C. § 6801. [45] See, for example, 16 C.F.R. § 314.3 (FTC). [46] See, for example, 16 C.F.R. § 314.4(d). [47] The settlement will require BJ's Wholesale Club to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. In the Matter of BJ's Wholesale Club, Inc., F.T.C. No. 0423160 (2005). A consent agreement does not constitute an admission of a violation of law. [48] Prepared Statement of the Federal Trade Commission on "Data Breaches and Identity Theft" Before the Senate Comm. on Commerce, Science, and Transportation, 109th Cong., 1st Sess. (2005). [49] Although there is no applicable federal statute governing notification of data breaches, the banking agencies have issued guidance to financial institutions under their jurisdiction requiring them in some cases to notify customers affected by a data breach. States that have enacted breach notification requirements include Arizona, Arkansas, California, Colorado, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Kansas, Louisiana, Maine, Minnesota, Montana, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin. Many other states have introduced legislation. [50] United States v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. Ga., Feb. 15, 2006). As part of the settlement, ChoicePoint admitted no violations of law. According to ChoicePoint, the company has taken steps since the breach to enhance its customer screening process and to assist affected consumers. [51] Congressional Research Service, Personal Data Security Breaches: Context and Incident Summaries, Order Code RL33199 (Washington, D.C., Dec. 16, 2005). [52] For example, Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information: Hearing Before the Senate Comm. on Banking, Housing, and Urban Affairs, 109th Cong., 1st Sess. (2005); Securing Electronic Personal Data: Striking a Balance Between Privacy and Commercial and Governmental Use: Hearing Before the Senate Comm. on the Judiciary, 109th Cong., 1st Sess. (2005); Assessing Data Security: Preventing Breaches and Protecting Sensitive Information: Hearing Before the House Comm. on Financial Services, 109th Cong., 1st Sess. (2005); Securing Consumers' Data: Options Following Security Breaches: Hearing Before the Subcomm. On Commerce, Trade, and Consumer Protection of the House Comm. on Energy and Commerce, 109th Cong., 1st Sess. (2005). [53] For more information on the key benefits and challenges associated with notifying the public about security breaches, see GAO, Privacy: Preventing and Responding to Improper Disclosures of Personal Information, GAO-06-833T (Washington, D.C.: June 8, 2006). [54] FCRA gives enforcement authority to FDIC, FRB, OCC, OTS, and NCUA over their banks, thrifts, and credit unions, among other entities. FCRA assigned regulatory authority to the Departments of Transportation and Agriculture over entities under their jurisdiction. 15 U.S.C. § 1681s. [55] 15 U.S.C. § 6805. GLBA required FTC and other regulators with responsibilities under the statute to issue consistent and comparable regulations. 15 U.S.C. § 6804. [56] 15 U.S.C. § 1681s(c). [57] Conn. Gen. Stat. Anno. §§ 36a-41 - 44 (disclosure to broker- dealers or investment advisers engaged in contractual networking arrangements with the financial institution permitted after the customer is given notice and an opportunity to opt out); N.D. Cent. Code §§ 6.08.1-01 - 10; Vt. Stat. Anno. Tit 8, §§ 10201 - 10205. [58] For instance, FTC staff told us the agency filed suit in the following cases: In the Matter of Credit Bureau of Lorain, Inc., 81 F.T.C. 381 (1972); In the Matter of Credit Bureau of Columbus, Inc., 81 F.T.C. 938 (1972); In the Matter of Credit Bureau of Greater Syracuse, Inc., 84 F.T.C. 1660 (1974); In the Matter of Robert N. Barnes, 85 F.T.C. 520 (1975); In the Matter of Filmdex Chex System, Inc., 85 F.T.C. 889 (1975); In the Matter of Credit Data Northwest, 86 F.T.C. 389 (1975); In the Matter of Interstate Check Systems, Inc., 88 F.T.C. 984 (1976); In the Matter of Moore & Associates, Inc., 92 F.T.C. 440 (1978); In the Matter of Howard Enterprises, Inc., 93 F.T.C. 909 (1979); In the Matter of Trans Union Credit Information Co., 102 F.T.C. 1109 (1983); FTC v. TRW Inc., 784 F. Supp. 361 (N.D. Tex. 1991); In the Matter of I.R.S.C., Inc., 116 F.T.C. 266 (1993); In the Matter of CDB Infotek, 116 F.T.C. 280 (1993); In the Matter of Inter-Fact Inc., 116 F.T.C. 294 (1993); In the Matter of W.D.I.A.Corp., 117 F.T.C. 757 (1994); In the Matter of Equifax Credit Information Services, Inc., 120 F.T.C. 577 (1995). See also United States v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. Ga. Feb. 15, 2006); United States v. Far West Credit, Inc., No. 2:06-cv-00041-TC (C.D. Utah Jan. 17, 2006); and In the Matter of Southern Maryland Credit Bureau, Inc., 101 F.T.C. 19 (1983). [59] In 1996, TRW Inc. sold its credit reporting business to a group of investors, who named the new company Experian. [60] FTC has also enforced FCRA against resellers for other types of violations. For example, in 2000 FTC settled with the three nationwide credit bureaus after alleging that consumers were unable to adequately access the companies' personnel by telephone to discuss or dispute possible errors in their files. United States v. Equifax Credit Information Services, Inc., No. 1:00-CV-0087 (N.D. Ga. 2000); United States v. Experian Information Solutions, Inc., 3-00CV0056-L. (N.D. Tx. 2000); and United States v. Trans Union LLC, No. 00C 0235 (N.D. Ill. 2000). See [Hyperlink, http://www.ftc.gov/opa/2000/01/busysignal.htm]. A consent agreement does not constitute an admission of a violation of law. [61] In the Matter of Equifax Credit Information Services, Inc., 120 F.T.C. 577 (1995). A consent agreement does not constitute an admission of a violation of law. [62] In the Matter of Trans Union Corp., F.T.C. No. 9255, 2000 WL 257766 (2000), petition for review denied, 245 F.3d 809 (D.C. Cir. 2001). [63] United States v. ChoicePoint, Inc., No. 1:06-cv-00198-JTC (N.D. Ga., Feb. 15, 2006). [64] Injunctions are judicial orders commanding a party to take an action or prohibiting a party from doing or continuing to do a certain activity. Disgorgement is having to give up profits or other gains illegally obtained. [65] 15 U.S.C. § 1681s and 15 U.S.C. § 45(l) and (m). Regarding GLBA's prohibition against fraudulent access to financial information where a person obtains financial information relating to another person under false pretences (pretext provisions), GLBA allows FTC to seek civil penalties for violations. Specifically, FTC has authority to enforce the GLBA pretext provisions in the same manner and with the same power and authority as it has under the Fair Debt Collection Practices Act (codified at 15 U.S.C. §§ 1692 - 1692o). 15 U.S.C. § 6822(a). A violation of the Fair Debt Collection Practices Act is deemed by federal law to be an unfair or deceptive act or practice in violation of the FTC Act, which means that FTC may impose civil penalties. 15 U.S.C. § 1692l(a); and United States v. National Financial Services, Inc., 98 F.3d 131, 139 - 141 (4th Cir. 1996). According to FTC officials, they do not have similar civil penalty authority for violations of GLBA's privacy and safeguarding provisions. [66] 12 U.S.C. § 1818(i)(2)(A)(i). [67] Some exceptions may exist. For example, section 411 of the FACT Act (which amended section 604(g) of FCRA (12 U.S.C. 1681b(g))), generally limits with certain exceptions creditors' ability to obtain or use medical information pertaining to a consumer for credit purposes. This section requires the banking regulatory agencies and NCUA to issue regulations relating to the use of medical information in credit transactions. The regulations apply broadly, and the exceptions therein are available to all creditors, not just the financial institutions supervised by those agencies. See final rule published at 70 Fed. Reg. 70664, 70665 - 6 (Nov. 22, 2005). [68] In addition to the responsibilities assigned to financial institution regulators and FTC, FCRA assigns enforcement authority to the Departments of Transportation and Agriculture for entities subject to their oversight, such as transportation carriers. [69] The various banking agency GLBA and FCRA regulations can be found at 12 C.F.R. Parts 40 and 41 (OCC); 12 C.F.R. Parts 216, 222, and 232 (FRB); 12 C.F.R. Parts 332 and 334 (FDIC); 12 C.F.R. Parts 573 and 571 (OTS); and 12 C.F.R. Parts 716 and 717 (NCUA). [70] 65 Fed. Reg. 35162 (June 1, 2000); and 65 Fed. Reg. 31722 (May 18, 2000). OCC, FRB, OTS, and FDIC issued their rules jointly. All of the rules were substantively identical but contained differences to account for differences between the agencies' legal authorities and, as appropriate, for the types of institutions within each agency's jurisdiction. [71] 66 Fed. Reg. 8616 (Feb. 1, 2001) ("Interagency Guidelines Establishing Standards for Safeguarding Customer Information") (renamed "Interagency Guidelines Establishing Information Security Standards," 70 Fed. Reg. 15736 (Mar. 29, 2005)). [72] 70 Fed. Reg. 15736 (Mar. 29, 2005) ("Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice"). [73] Pub. L. No. 108-109, 117 Stat. 1952 (Dec. 4, 2003). [74] See 15 U.S.C. § 1681w; 69 Fed. Reg. 77610 (Dec. 28, 2004); and 69 Fed. Reg. 68690 (Nov. 24, 2004). [75] The examinations are risk-based and conducted in cycles depending on the institution's condition and size. Banking regulators are required by law, 12 U.S.C. § 1820(d), to examine insured institutions for safety and soundness at least once during each 12-month period, except for smaller institutions that meet specified conditions that can be examined each 18-month period. We use the term "thrifts" to refer to savings associations. [76] Banking regulators have broad enforcement powers and can take formal actions (cease and desist orders, civil money penalties, removal orders, and suspension orders, among others) or informal enforcement actions (such as memoranda of understanding and board resolutions). Informal actions are generally not publicly disclosed. [77] 65 Fed. Reg. 40334 (June 29, 2000), codified at 17 C.F.R. Part 248. SEC, NASD, and NYSE Regulation regulate broker-dealers by, among other things, examining their operations and reviewing customer complaints. SEC evaluates the quality of NASD and NYSE oversight in enforcing their members' compliance with federal securities laws through self-regulatory organization oversight inspections and broker- dealer oversight examinations. SEC is the primary regulator of investment companies and investment advisers registered with the SEC. [78] 17 C.F.R. § 248.30. [79] An examination finding would be any compliance deficiency (including an internal control weakness) or violation requiring corrective action. [80] NASD Notice to Members 00-66 (September 2000). [81] NASDR Regulatory and Compliance Alert (Summer 2001). [82] NYSE Information Memoranda Nos. 01-10 (June 19, 2001) and 01-13 (June 21, 2001). [83] 15 U.S.C. § 6805(a)(6). State insurance authorities may enforce GLBA and may establish privacy regulations. However, GLBA mandates that state insurance authorities establish standards for safeguarding customer information and that the standards be implemented by rules. 15 U.S.C. §§ 6801(b) and 6805(b)(2). Moreover, if a state insurance authority fails to adopt regulations to carry out GLBA's privacy and safeguarding provisions, the state forfeits its eligibility under GLBA to override certain customer protection regulations promulgated by the federal depository institution regulators applicable to insurance sales by or at depository institutions. 15 U.S.C. § 6805(c). [84] We did not corroborate or independently verify NAIC's analysis. [85] GAO, Financial Privacy: Status of State Actions on Gramm-Leach- Bliley Act's Privacy Provisions, GAO-02-361 (Washington, D.C.: Apr. 12, 2002). [86] District of Columbia, Department of Insurance, Securities and Banking, Preliminary Report: Status of Insurance Industry Practices and Procedures to Protect the Privacy of Customer Information (September 2005). According to department staff, the final report is pending. The staff said the preliminary and final results should not differ because the preliminary results included responses of more than 90 percent of the companies, including all of the large companies. [87] FTC's GLBA and FCRA regulations can be found at 16 C.F.R. Parts 313 and 314 and 16 C.F.R. Parts 600 through 698. [88] FTC v. 30 Minute Mortgage, Inc., No. 03-60021-CIV (S.D. Fla. 2003); FTC v. Sainz Enterprises LLC, No. 04WM-2078 (CBS) (D. Co. 2004); In the Matter of Superior Mortgage Corp., F.T.C. No. 052-3136 (2005); In the Matter of Sunbelt Lending Servs., FTC No. C-4129 (2005); In the Matter of Nationwide Mortgage Group, Inc., F.T.C. No 9319 (2005); FTC v. Nat'l. Consumer Council, Inc., No. SACV04-0474CJC (JWJX) (C.D. Cal. 2005); FTC v. Debt Mgmt. Found. Serv., Inc., No. 8:04-cv-01674-EAK-MSS (M.D. Fla. 2005). A consent agreement does not constitute an admission of a violation of law. [89] See 12 U.S.C. § 1867 (FRB, FDIC, and OCC); and 12 U.S.C. § 1464(d)(7) (OTS). [90] In January 2006, we reported on contractors' access to and sharing of Social Security numbers and federal oversight of regulated entities that contract for services. See GAO, Social Security Numbers: Stronger Protections Needed When Contractors Have Access to SSNs, GAO-06-238 (Washington, D.C.: Jan. 23, 2006). [91] NCUA had temporary authority to examine third-party service providers under the Examination Parity and Year 2000 (Y2K) Readiness for Financial Institutions Act, Pub. L. No. 105-164, 112 Stat. 32 (Mar. 20, 1998) but that authority expired as of December 31, 2001. 12 U.S.C. § 1786a(c) and (f). [92] GAO, Credit Unions: Financial Condition Has Improved, but Opportunities Exist to Enhance Oversight and Share Insurance Management, GAO-04-91 (Washington, D.C.: Oct. 27, 2003). [93] NASD Notice to Members 05-48 (July 2005). [94] NASD Notice to Members 05-49 (July 2005). [95] SR-NYSE-2005-22, Proposed Rule 340, Outsourcing: Due Diligence and Conditions in the Use of Service Providers, and Proposed Amendments to Rule 342, Offices - Approval, Supervision and Control (Mar. 16, 2005). [96] See Testimony of the Federal Trade Commission before the Senate Committee on Science, Commerce, and Transportation at p. 7, available at [Hyperlink, http://www.ftc.gov/opa/2005/06/datasectest.htm]. [97] Id. at p. 9, n.18. [98] To date, the Commission has brought 13 legal actions against entities that allegedly failed to implement reasonable and appropriate data security for sensitive consumer data. See [Hyperlink, http://www.ftc.gov/privacy/index.html]. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: